SAP has released the monthly critical patch update for September 2012. This patch update closes 27 vulnerabilities in SAP products (two related to HOT News, which means they are the most important, 19 with high priority, 5 with medium and 1 with low).
The following issues were found:
- 9 XSS
- 4 directory traversals
- 4 missing auth checks
- 2 command execution
- 1 information disclosure
- 1 CSRF
- 5 others
Some of our readers and clients were asking us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
1744122: a complex update for iXML Engine which should be installed to support future updates related to XML Security. Must be carefully reviewed and installed with other related patches. This update installs additional security options to iXML Engine for preventing such attacks as XXE, XML Bombs and others. 1576215: remote command execution through RFC function. 1668224: remote command execution through RFC function. 1635970 1678732: buffer overflow in SAP GUI application.
In this patch, some architecture issues were closed together with typical problems like XSS and missing auth checks. Like in the two last months, the problems are related to XML. SAP closes XML signature issues in patch 1753376 and patch 1756978, and it is recommended to install them to prevent signature attacks on XML interfaces. Also, as I mentioned before, iXML Engine was patched and enhanced to prevent future attacks as a result of collaboration between ERPScan researchers and SAP PSRT.
Some of the other issues were found by ERPScan researcher Alexey Tyurin.
The detailed list of corrected vulnerabilities is below:
- An XXE vulnerability in SAP NetWeaver. Update is available in SAP Security Note 1621534. The criticality level is 4.9 according to CVSS.
SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Checks for the new issues are available in ERPScan – the innovative SAP vulnerability assessment solution.