Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

SAP Security Notes October 2014 – Review

SAP released its monthly critical patch update for October 2014. This month, five critical vulnerabilities found by ERPScan researchers, Alexey Tyurin, Dmitry Chastuhin, Igor Ilyin, Roman Bazhin, and Vahagn Vardanyan, were closed. Most of them are Denial of Service vulnerabilities.

The most critical issues

Our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. the companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2052082: SAP Environment, Health, and Safety Management has a Directory Traversal vulnerability. An attacker can use Directory Traversal to access arbitrary files and directories located in the SAP server filesystem, including the application source code, the configuration and system files. It allows obtaining the critical technical and business-related information stored in a vulnerable SAP system.
  • 2067859: SAP Cryptographic Libraries has a problem with version. There is a critical vulnerability in the versions of SAPCRYPTOLIB, SAPSECULIB, and CommonCryptoLib components of SAP NetWeaver AS for ABAP and SAP HANA applications. The vulnerability may enable an attacker to spoof system digital signatures based on the DSA algorithm.
  • 1906212: SAP Document Management Services has a Local Command Execution. An attacker can use a Local Command Execution vulnerability for an unauthorized execution of commands. Executed commands will run with the same privileges as the service that executes the command. An attacker can access arbitrary files and directories located in the SAP server filesystem, including the application source code, the configuration, and critical system files. It allows to obtain the critical technical and business-related information stored in a vulnerable SAP system.

Issues that were patched with the help of ERPScan

The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.

  • An SQL injection vulnerability in SAP HANA. the update is available in SAP Security Note 2067972. An attacker can use an SQL injection vulnerability with the help of specially crafted SQL queries. By exploiting this vulnerability, an internal attacker is able to change certain system configuration parameters which might lower the systems security level. Read or write access to other database data is not possible.
  • A Denial of Service vulnerability in SAProuter. The update is available in SAP Security Note 2037492. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, the system downtime, and the business reputation.
  • A XML eXternal Entity vulnerability in SAP Web Service Navigator. The update is available in SAP Security Note 2045176. An attacker can use an XML eXternal Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML eXternal Entity vulnerability to get an unauthorized access to the OS filesystem.
  • A Denial of Service vulnerability in SAP Internet Communication Manager. The update is available in SAP Security Note 1966655. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, the system downtime, and the business reputation.
  • A Denial of Service vulnerability in the SAP Host Agent. The update is available in SAP Security Note 1986725. An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. Then, nobody will be able to use this service, which negatively influences business processes, the system downtime, and the business reputation.

It is highly recommended to patch all those issues to prevent business risks.

SAP traditionally published acknowledgements for the found vulnerabilities to the security researchers from ERPScan on their acknowledgment page.

Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.

Do you want more?

Subscribe me to your mailing list