Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

SAP Cyber Threat Intelligence report – August 2016

SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key findings

  • SAP Cyber Threat Report 2016 was released. 36000 SAP Systems worldwide are potentially affected. Read more insights here
  • Today SAP released 30 SAP Security notes to close vulnerabilities in SAP products, more than the average number for 2016
  • Some vulnerabilities closed by SAP Security Notes pose significant risks. For instance, Denial of Service vulnerability in SAP Internet Communication Manager can be exploited remotely without authentication. About 560 such servers are exposed to the Internet and thus potentially vulnerable to this attack.

SAP Security Notes – August 2016

SAP has released the monthly critical patch update for August 2016. This patch update closes 30 vulnerabilities in SAP products including 26 SAP Security Patch Day Notes and 4 Support Package Notes. 17 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 14 of all the Notes are updates to previously released Security Notes.

14 of the released SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 7.5.

SAP Security Notes August 2016 by priority

The most common vulnerability type is Cross-site scripting.

SAP Security Notes August 2016 by type

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Daria Prosochkina, Mathieu Geli, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerabilities identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Internet Communication Manager (CVSS Base Score: 7.5). Update is available in SAP Security Note 2313835. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • A Denial of service vulnerability in SAP BPM (CVSS Base Score: 6.4). Update is available in SAP Security Note 2296909. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affects business processes, system downtime and, as a result, business reputation.
  • A Directory Traversal vulnerability in SAP Business Partner (CVSS Base Score: 4.3). Update is available in SAP Security Note 2312966. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
  • A Directory Traversal vulnerability in SAP Telnet Command (CVSS Base Score: 3.4). Update is available in SAP Security Note 2280371. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

The most critical issues closed by SAP Security Notes August 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2292714: SAP Memory Snapshot Creation has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2319506: SAP Database Monitors for Oracle has a SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can use an SQL injection vulnerability by specially-crafted SQL queries. It allows reading and modifying sensitive information from a database, executing administration operations on a database, destroying data or making it unavailable. Also in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2294866: SAP JMS Provider Service has a Missing authorization check vulnerability (CVSS Base Score: 6.4 ). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality, which has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent risks.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

2. Threats

560 SAP Servers at risk

SAP Security Note 2313835 closes a Denial of Service vulnerability in SAP Internet Communication Manager - SAP’s web application server which provides clients and partners with access to a company’s web applications such as CRM, SRM or Portal. The vulnerability allows an attacker to prevent legitimate users from accessing the company’s services and thus stopping operations. Taking into account that SAP is installed in the largest organizations worldwide, a minute of downtime may cost millions of dollars.

The vulnerability can be exploited remotely without authentication. The scanning conducted by ERPScan Threat Intelligence and research team revealed that at least 559 such servers are exposed to the Internet and possibly open to the DoS attack. The graph below shows that most such services are located in the USA, India, and China.

3. SAP Cybersecurity breaking news

ERPScan released the first comprehensive SAP Cybersecurity Threat Report. It covers 3 main angles of SAP Cybersecurity, namely SAP Product Security,SAP Implementation Security, and SAP Security Awareness.

The most important highlights are as follows:

  • 36000 SAP systems worldwide available via Internet.Most of them (69%) should not be available directly via the Internet
  • USA has the highest number (3660) of unnecessarily exposed SAP services. India and China take the second place. Those services have vulnerabilities or misconfigurations or simply should not be configured for remote access
  • The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.
Because of this, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices.

SAP customers as well as companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.