SAP released its monthly critical patch update for November 2014. This month, one critical vulnerability found by ERPScan researcher Vahagn Vardanyan was closed.
The most critical issues
Our readers and clients asked us to categorize the most critical issues to patch them first. The most critical ones of this update can be patched by the following SAP Security Notes:
- 2018479: SAP Internet Graphics Server has a Buffer Overflow vulnerability. An attacker can use Buffer Overflow for injecting specially crafted code into working memory. The code will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executes them. This can lead to taking the complete control over an application, the denial of service, the command execution, and other attacks. In case of the command execution, the attacker can obtain the critical technical and business-related information stored in the vulnerable SAP system or use it for the privilege escalation. Speaking about the denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, which has a negative impact on business processes, the system downtime, and the business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 1972093: SAP Business Objects Authentication has an XML eXternal Entity vulnerability. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will be able to get an unauthorized access to the OS filesystem. It is recommended to install this SAP Security Note to prevent risks.
- 1738988: SAP ABAP Dictionary has an ABAP Code Injection vulnerability. Depending on the code, the attacker can inject and run their own code, obtain the additional information that should not be displayed, modify or delete any data, modify the output of the system, create new users with higher privileges, control the system behavior, probably escalate privileges by executing malicious code or even performing a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.
- An SMB Relay vulnerability in SAP FM ARCHIVE_ADMIN_CHECK_FILE. The update is available in SAP Security Note 2037572. An attacker can use SMB Relay to escalate their privileges up to the OS user who started the SAP server. These privileges will give the attacker an unlimited access to the data stored in the SAP system. This data can be used to control all the business processes and perform sensitive operations over the SAP landscape, possibly taking a remote control over the affected systems.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally published acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.