SAP released its monthly critical patch update for July 2014 which closes a few vulnerabilities in SAP products. This month one critical vulnerability found by ERPScan researcher Dmitry Chastukhin was closed. The most common vulnerability in this month is Cross-Site Scripting.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. The most critical issues of this update can be patched by the following SAP Security Notes:
- 2036562: An SQL Injection vulnerability in the SAP Afaria Server. An attacker can use an SQL injection vulnerability with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration actions in a database, destroy the data or make it unavailable. In some cases, an attacker can also access the system data or execute OS commands.
- 2028891: SAP Sybase Event Stream Processor has a remote command execution vulnerability. An attacker can use a remote command execution vulnerability to execute commands remotely without authorization. These commands will run under the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, the configuration, and critical system files. It allows to obtain the critical technical and business-related information stored in a vulnerable SAP-system..
- 1962104: An XSS vulnerability in SAP Web Dynpro Java Runtime. An attacker can use a Cross-Site Scripting vulnerability for injecting a malicious script into a page. The feature of reflected XSS is that the attacker has to trick the user in order to make them use a specially crafted link. As for stored XSS, a malicious script is injected and permanently stored in a page body, so the user is attacked without performing any actions. The malicious script can access all cookies, session tokens, and another critical information stored by the browser and used for the interaction with the vulnerable website. The attacker can gain access to the user’s session and learn the business-critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of the displayed site content.
Issues that were patched with the help of ERPScan
The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.
- An XSRF vulnerability in SAP HANA Application Lifecycle Management application. The update is available in SAP Security Note 2011169. An attacker can use a Cross-Site Request Forgery vulnerability for exploiting an authenticated user’s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. An attacker may use a Cross-Site Scripting vulnerability to do this, or they can present a specially crafted link to a victim.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.