SAP Security Notes January 2015 – Review
SAP has released the monthly critical patch update for January 2015. This month, one critical vulnerability found by ERPScan researcher Nikolay Mescherin was closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2113333: SAP Sybase ASE Database Platform has an SQL Injection vulnerability. An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administrative operations in a database, destroy data or make it unavailable. In some cases, an attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
- 2098906: SAP HANA Extended Application Services has an ABAP Code Injection vulnerability. Depending on the code, an attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify system output, create new users with higher privileges, control the system behavior. They can also potentially escalate privileges by executing malicious code or even perform a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
- 2000401: SAP Dealer Portal has a Missing Authorization Check vulnerability. An attacker can use a Missing Authorization Check to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An XML eXternal Entity vulnerability in SAP Extended Computer Aided Test Tool. Update is available in SAP Security Note 2016638. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS filesystem.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally issued acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.