Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

SAP Security Notes October 2014 – Review

SAP has released the monthly critical patch update for October 2014. This month, five critical vulnerabilities found by ERPScan researchers, Alexey Tyurin, Dmitry Chastuhin, Igor Ilyin, Roman Bazhin, and Vahagn Vardanyan, were closed. Most of them are Denial of Service.

The most critical issues

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2052082: SAP Environment, Health, and Safety Management has a Directory Traversal vulnerability. An attacker can use Directory Traversal to access arbitrary files and directories located in the SAP server filesystem, including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
  • 2067859: SAP Cryptographic Libraries has a problem with version. There is a critical vulnerability in the versions of SAPCRYPTOLIB, SAPSECULIB, and CommonCryptoLib components of SAP NetWeaver AS for ABAP and SAP HANA applications. The vulnerability may enable an attacker to spoof system digital signatures based on the DSA algorithm.
  • 1906212: SAP Document Management Services has a Local Command Execution. An attacker can use a Local Command Execution vulnerability for unauthorized execution of commands. Executed commands will run with the same privileges as the service that executes the command. An attacker can access arbitrary files and directories located in the SAP server filesystem, including application source code, configuration, and critical system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP system.

Issues that were patched with the help of ERPScan

The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.

  • An SQL injection vulnerability in SAP HANA. Update is available in SAP Security Note 2067972. An attacker can use an SQL injection vulnerability with the help of specially crafted SQL queries. By exploiting this vulnerability, an internal attacker is able to change certain system configuration parameters which might lower the systems security level. Read or write access to other database data is not possible.
  • A Denial of Service vulnerability in SAProuter. Update is available in SAP Security Note 2037492. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, system downtime, and business reputation.
  • A XML eXternal Entity vulnerability in SAP Web Service Navigator. Update is available in SAP Security Note 2045176. An attacker can use an XML eXternal Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML eXternal Entity vulnerability to get unauthorized access to the OS filesystem.
  • A Denial of Service vulnerability in SAP Internet Communication Manager. Update is available in SAP Security Note 1966655. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, system downtime, and business reputation.
  • A Denial of Service vulnerability in the SAP Host Agent. Update is available in SAP Security Note 1986725. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, system downtime, and business reputation.

It is highly recommended to patch all those issues to prevent business risks.

SAP has traditionally sent acknowledgements for found vulnerabilities to the security researchers from ERPScan on their acknowledgment page.

Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.