SAP has released the monthly critical patch update for February 2015. This month, four critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin, Dmitry Evdokimov, George Nosenko, and Vahagn Vardanyan were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 2111541: SAP Data Basis has an SQL Injection vulnerability. An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administrative operations in a database, destroy data or make it unavailable. In some cases, an attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
- 2114316: SAP Mobile On Premise Core Services has a сross-site request forgery vulnerability. An attacker can use Cross-Site Request Forgery to exploit an authenticated user's session by making a request containing a certain URL and specific parameters. The function will be executed with the authenticated user's rights. To do this, the attacker may use a cross-site scripting vulnerability or send a specially crafted link to the attacked user. It is recommended to install this SAP Security Note to prevent risks.
- 2099500: SAP SPNego Wizard has a Missing Authorization Check vulnerability. An attacker can use a Missing Authorization Check to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An XML eXternal Entity vulnerability in SAP Mobile Platform on Premise. Update is available in SAP Security Note 2125358. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS filesystem.
- An XML eXternal Entity vulnerability in SAP XML Parser. Update is available in SAP Security Note 2093966. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS filesystem.
- A Remote Command Execution vulnerability in SAP Profile Maintenance. Update is available in SAP Security Note 2063369. An attacker can use Remote Command Execution to execute commands remotely without authorization, under the privileges of the service that executes the command. The attacker will be able to access arbitrary files and directories located in the SAP server filesystem, including application source code, configuration, and critical system files. It allows to obtain critical technical and business-related information stored in the vulnerable SAP system.
- An implementation flaw vulnerability in SAP Electronic Medical Record Android. Update is available in SAP Security Note 2117079. The server connection settings of the application can be changed after their initial import so that the user may get connected to a malicious system. The threat exists only if the user confirms the settings changes, but the attacker can show this confirmation window infinitely until they click OK. Patches solve configuration errors, add new functionality, and increase system stability.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally issued acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.