SAP released its monthly critical patch update for February 2015. This month, four critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin, Dmitry Evdokimov, George Nosenko, and Vahagn Vardanyan were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical ones of this update can be patched by the following SAP Security Notes:
- 2111541: SAP Data Basis has an SQL Injection vulnerability. An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify the sensitive information from a database, execute administrative operations in a database, destroy the data or make it unavailable. In some cases, an attacker can access the system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
- 2114316: SAP Mobile On Premise Core Services has a Cross-Site Request Forgery vulnerability. An attacker can use Cross-Site Request Forgery to exploit an authenticated user’s session by making a request containing a certain URL and specific parameters. The function will be executed with the authenticated user’s rights. To do this, the attacker may use a Cross-Site Scripting vulnerability or send a specially crafted link to a victim. It is recommended to install this SAP Security Note to prevent risks.
- 2099500: SAP SPNego Wizard has a Missing Authorization Check vulnerability. An attacker can use a Missing Authorization Check to access a service without any authorization procedures and use service functionality that has a restricted access. This can lead to the information disclosure, the privilege escalation, and other attacks.It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.
- An XML eXternal Entity vulnerability in SAP Mobile Platform on Premise. The update is available in SAP Security Note 2125358. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get an unauthorized access to the OS filesystem.
- An XML eXternal Entity vulnerability in SAP XML Parser. The update is available in SAP Security Note 2093966. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get an unauthorized access to the OS filesystem.
- A Remote Command Execution vulnerability in SAP Profile Maintenance. the update is available in SAP Security Note 2063369. An attacker can use Remote Command Execution to execute commands remotely without authorization, under the privileges of the service that executes the command. The attacker will be able to access arbitrary files and directories located in the SAP server filesystem, including the application source code, the configuration, and critical system files. It allows obtaining the critical technical and business-related information stored in the vulnerable SAP system.
- An implementation flaw vulnerability in SAP Electronic Medical Record Android. Update is available in SAP Security Note 2117079. The server connection settings of the application can be changed after their initial import so that the user may get connected to a malicious system. The threat exists only if the user confirms the settings changes, but the attacker can show this confirmation window infinitely until they click OK. Patches solve configuration errors, add new functionality, and increase system stability.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally published acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.