SAP Security Notes July 2012 – Review
SAP released monthly critical patch update for July 2012 which closes 20 vulnerabilities in SAP products (17 with high priority and 3 with medium).
The following problems were found:
- 5 missing authentification checks
- 3 XSS
- 2 information disclosures
- 1 code injection
There are not so many vulnerabilities as there usually are but some major architectual issues were closed, which we will discuss at the BlackHat USA conferecnce. They were found by ERPScan researchers Alexander Polyakov, Dmitriy Chastukhin, Alexey Tyurin and Alexander Minozhenko. The vulnerabilities affect XML parsing engines in Process Monitoring and Process Integration engines. Both vulnerabilities allow the escalation of privileges and gaining the access to the sensitive technical and business-related information stored in a vulnerable SAP system or connected systems.
The detailed list of the corrected vulnerabilities is below:
- A vulnerability in SAP Process Integration. The update is available in SAP Security Note 1723641. The criticality level is 5.0 according to CVSS. By exploiting this vulnerability, an internal or external attacker can access any file located in the SAP server file system, execute a DoS attack and exploit the connected systems. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system.
- A vulnerability in SAP Process Monitoring. The update is available in SAP Security Note 1721309. The criticality level is 3.5 according to CVSS. By exploiting this vulnerability, an internal or external attacker will be able to access any file located in the SAP server file system. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Exploits will be available soon in ERPScan Security Scanner, the innovative SAP vulnerability assessment solution, and ERPScan SaaS.