SAP released monthly critical patch update for November 2011. This patch update closes many vulnerabilities in SAP products. 6 of those vulnerabilities were found by different experts. Traditionally Dmitriy Chastuchin and Alexey Tuyrin, ERPScan researchers, are among them.
SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
Detailed list of corrected vulnerabilities is below:
- Missing authorization checks in SAP Transactions. Update is available in SAP Security Note 1595074. Criticality according to CVSS is 6.0. Attacker executes vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threads from information disclosure to full system compromise.
- XSS vulnerabilities in different SAP applications. Update is available in SAP Security Note 1583300. Criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.
- Directory traversal vulnerability in CRM. Update is available in SAP Security Note 1585527. Criticality according to CVSS is 2.1.By exploiting this vulnerability an internal attacker will be able to access any files located in the SAP server file system. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
It is highly recommended to patch all those issues to prevent business risks. Solutions for those issues are available in SAP Security Notes: 1585527, 1583300, 1595074. Advisories for those issues with technical details will be available in 3 months on erpscan.com. Exploits will be available soon in ERPScan Security Scanner - innovative SAP vulnerability assessment solution and ERPScan SaaS.