SAP Security Notes July 2014
SAP has released the monthly critical patch update for July 2014. This patch update closes a few vulnerabilities in SAP products. This month one critical vulnerability found by ERPScan researcher Dmitry Chastukhin was closed. The most common vulnerability in this month is cross-site scripting.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 2036562: An SQL injection vulnerability in the SAP Afaria Server. An attacker can use an SQL injection vulnerability with the help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration actions in a database, destroy data or make it unavailable. In some cases, the attacker can also access system data or execute OS commands.
- 2028891: SAP Sybase Event Stream Processor has a remote command execution vulnerability. An attacker can use a remote command execution vulnerability to execute commands remotely without authorization. Executed commands will run under the same privileges as the service that executed a command. An attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system..
- 1962104: An XSS vulnerability in SAP Web Dynpro Java Runtime. An attacker can use a cross-site scripting vulnerability for injecting a malicious script into a page. The feature of reflected XSS is that the attacker has to trick the user in order to make them use a specially crafted link. As for stored XSS, a malicious script is injected and permanently stored in a page body, so the user is attacked without performing any actions. The malicious script can access all cookies, session tokens, and other critical information stored by the browser and used for interaction with the vulnerable website. The attacker can gain access to the user’s session and learn business-critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An XSRF vulnerability in SAP HANA Application Lifecycle Management application. Update is available in SAP Security Note 2011169. An attacker can use a cross-site request forgery vulnerability for exploiting an authenticated user’s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. An attacker may use a cross-site scripting vulnerability to do this, or they can present a specially crafted link to an attacked user.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.