SAP released its monthly critical patch update for September 2012 which closes 27 vulnerabilities in SAP products (two related to HOT News, which means they are the most critical, 19 with high priority, 5 with medium and 1 with low).
The following issues were found:
- 9 XSS
- 4 directory traversals
- 4 missing authentification checks
- 2 command execution
- 1 information disclosure
- 1 CSRF
- 5 others
Some of our readers and clients were asking to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
1744122: a complex update for iXML Engine which should be installed to support future updates related to XML Security. Must be carefully reviewed and installed with other related patches. This update installs additional security options to iXML Engine for preventing such attacks as XXE, XML Bombs and others. 1576215: a remote command execution through an RFC function. 1668224: a remote command execution through an RFC function. 1635970 1678732: a buffer overflow in SAP GUI application.
In this patch, some architectural issues were closed together with typical vulnerabilities like XSS and missing auth checks. Like in the two previous months, the loopholes are related to XML. SAP closes XML signature issues in patch 1753376 and patch 1756978, and it is recommended to install them to prevent signature attacks on XML interfaces. Also, as I mentioned before, iXML Engine was patched and enhanced to prevent future attacks as the result of the collaboration of ERPScan researchers and SAP PSRT.
Some of the other issues were found by ERPScan researcher Alexey Tyurin.
The detailed list of the corrected vulnerabilities is below:
- An XXE vulnerability in SAP NetWeaver. The update is available in SAP Security Note 1621534. The criticality level is 4.9 according to CVSS.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Checks for the new issues are available in ERPScan, the innovative SAP vulnerability assessment solution.