SAP Security Notes November 2014 – Review
SAP has released the monthly critical patch update for November 2014. This month, one critical vulnerability found by ERPScan researcher Vahagn Vardanyan was closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 2018479: SAP Internet Graphics Server has a Buffer Overflow vulnerability. An attacker can use Buffer Overflow for injecting specially crafted code into working memory. The code will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executes them. This can lead to taking complete control over an application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored in the vulnerable SAP system or use it for privilege escalation. Speaking about denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 1972093: SAP Business Objects Authentication has an XML eXternal Entity vulnerability. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will be able to get unauthorized access to the OS filesystem. It is recommended to install this SAP Security Note to prevent risks.
- 1738988: SAP ABAP Dictionary has an ABAP Code Injection vulnerability. Depending on the code, the attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control system behavior, probably escalate privileges by executing malicious code or even performing a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An SMB Relay vulnerability in SAP FM ARCHIVE_ADMIN_CHECK_FILE. Update is available in SAP Security Note 2037572. An attacker can use SMB Relay to escalate their privileges up to the OS user who started the SAP server. These privileges will give the attacker unlimited access to the data stored in the SAP system. This data can be used to control all business processes and perform sensitive operations over the SAP landscape, possibly taking remote control over affected systems.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally issues acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.