SAP Security Notes March 2015 – Review
SAP has released the monthly critical patch update for March 2015. This month, six critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- A Denial of Service vulnerability in SAP SQL Anywhere (CVSS Base Score: 6.3). Update is available in SAP Security Note 2108161. An attacker can use Denial of Service for terminating the process of a vulnerable component. Nobody will be able to use this service, which negatively influences business processes, system downtime, and business reputation as a result.
- A Missing Authorization Check vulnerability in SAP XCListener (CVSS Base Score: 6.0). Update is available in SAP Security Note 2134905. An attacker can use a Missing Authorization Check to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
- An XML eXternal Entity vulnerability in SAP XML Parser (CVSS Base Score: 5.5). Update is available in SAP Security Note 2111939. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
- An XML eXternal Entity vulnerability in SAP Mobile Platform (CVSS Base Score: 5.0). Update is available in SAP Security Note 2125513. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
- An Information Disclosure vulnerability in SAP CCMS (CVSS Base Score: 5.0). Update is available in SAP Security Note 2091768. An attacker can use Information Disclosure for revealing additional information (system data, debugging information, etc.) which will help them learn more about the system and plan other attacks.
- A Buffer Overflow vulnerability in SAP Afaria 7 XcListener (CVSS Base Score: 4.3). Update is available in SAP Security Note 2132584.
An attacker can use a Buffer Overflow vulnerability for injecting specially crafted code into working memory. The code will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed them. This can lead to taking complete control over the application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored on the vulnerable SAP system, or escalate their privileges. If denial of service happens, the process of the vulnerable component can be terminated. Nobody will be able to use this service, which negatively influences business processes, system downtime, and business reputation.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2115027: SAP Afaria Server has a Cross-Site Request Forgery vulnerability (CVSS Base Score: 6.8). An attacker can use Cross-Site Request Forgery to exploit an authenticated user’s session by making a request containing a certain URL and specific parameters. The function will be executed with the authenticated user’s rights. To do this, the attacker may use a cross-site scripting vulnerability or send a specially crafted link to the attacked user. It is recommended to install this SAP Security Note to prevent risks.
- 1928951: SAP Key Mapping Service has an SQL Injection vulnerability (CVSS Base Score: 6.0). An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administrative operations in a database, destroy data or make it unavailable. In some cases, an attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
2079002: SAP Logon Application has a Cross-Site Scripting vulnerability (CVSS Base Score: 5.8). An attacker can use Cross-Site Scripting to inject a malicious script into a page.
Reflected XSS means the attacker will have to trick the user into using a specially crafted link. As for stored XSS, a malicious script is injected and permanently stored in a page body, so the user is attacked without performing any actions.
The malicious script can access all cookies, session tokens, and other critical data stored by the browser and used for interaction with websites. The attacker can gain access to the user’s session and learn business-critical information. In some cases, it is possible to control the information, too. XSS can also be used for unauthorized modifying of displayed site content. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally issued acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.