SAP Security Notes February 2014 – Review
SAP has released the monthly critical patch update for February 2014. This patch update closes a lot of vulnerabilities in SAP products. This month, one vulnerability with medium risk, one critical vulnerability, and one interesting vulnerability found by ERPScan researcher Alexander Polyakov were closed. SAP has combined two of the vulnerabilities in one SAP Security Note.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 1911174: SAP CCMS is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1905408: SAP BI-RA-CR is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1945300: SAP QM-IM is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An XSS vulnerability in the SAP Workflow Modeler application. Update is available in SAP Security Note 1860923. An attacker can modify displayed application content without authorization and steal authentication data (cookie).
- A Missing Authorization Check vulnerability in the SAP Workflow Modeler application. Update is available in SAP Security Note 1860923. An attacker can scan internal servers and open ports remotely. Depending on the reply from server, the attacker can find live hosts, open ports, bruteforce accounts, or simply lock them by many unsuccessful attempts.
- An OS Command Execution vulnerability in the SAP CTC application. Update is available in SAP Security Note 1963100. An attacker can use OS command execution vulnerability for the execution of operating system commands. Executed commands will run with the same privileges as the service that executes them. Also, an attacker can access arbitrary files and directories located in the SAP server file system, including application source code, configuration, and critical system files.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally sent acknowledgements for found vulnerabilities to the security researchers from ERPScan on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.