SAP released its monthly critical patch update for December 2011 which closes many vulnerabilities in SAP products. Many of those vulnerabilities were found by different experts. Traditionally ERPScan researchers Alexander Polyakov, Dmitriy Chastuchin and Alexey Tuyrin are among them with 6 newly found vulnerabilities.
SAP published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
Detailed list of corrected vulnerabilities is below:
- Multiple XSS vulnerabilities in different applications of NetWeaver J2EE Engine and Crystal Reports. The update is available in SAP Security Note 1568003, 1584030, 1647871. The riticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link to a malicious script to an uninformed user via an e-mail, messaging or social networks. Thus, an attacker can gain the access to the user session and gain the control on the business-critical information which can be accessed by a victim.
- Denial of Service in BW. The update is available in SAP Security Note 1594475. The criticality according to CVSS is 4.0. A remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop the server and all business processes ran on it. It can lead to monetary and reputation loss.
- SMBRelay vulnerability in BW. Update is available in SAP Security Note 1594475. Criticality according to CVSS is 4.0. By exploiting this vulnerability an internal or external attacker will be able to get access to OS. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
- Directory Traversal in SAP Portal. The update is available in SAP Security Note 1630293. The criticality according to CVSS is 2.1. By exploiting this vulnerability an internal attacker will be able to get the access to any files located in the SAP Portal server file system. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1568003, 1584030, 1647871, 1594475, 1630293
Advisories for those issues with technical details will be available in 3 months on erpscan.com
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.