SAP released its monthly critical patch update for November 2011 which closes many vulnerabilities in SAP products. 6 of those vulnerabilities were found by different experts. Traditionally Dmitriy Chastuchin and Alexey Tuyrin, ERPScan researchers, are among them.
SAP published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
The detailed list of corrected vulnerabilities is below:
- Missing authorization checks in SAP Transactions. The update is available in SAP Security Note 1595074. The criticality according to CVSS is 6.0. An attacker executes a vulnerable transaction, a program or an RFC function remotely without authentication because the authorization check is missing. It can lead to different threats from the information disclosure to the full system compromise.
- XSS vulnerabilities in different SAP applications. The update is available in SAP Security Note 1583300. The criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain the access to the user session and gain the control on the business-critical information which can be accessed by victim.
- A directory traversal vulnerability in CRM. The update is available in SAP Security Note 1585527. Criticality according to CVSS is 2.1.By exploiting this vulnerability an internal attacker can access any files located in the SAP server file system. With the help of this access it is possible to obtain the sensitive technical and business-related information stored in the vulnerable SAP system.
It is highly recommended to patch all those issues to prevent business risks. Solutions for those issues are available in SAP Security Notes: 1585527, 1583300, 1595074. Advisories for those issues with technical details will be available in 3 months on erpscan.com. Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.