The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.
- This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
- One of the vulnerabilities closed this month affects Adobe Flex software development kit, thus every custom application written with the help of the library is susceptible to XSS vulnerability.
- The most common vulnerability type is XSS. By the way, Cross-Site Scripting remains the most widespread security loophole in SAP Applications with 20% of the released Notes addressing this type of issues.
- Vulnerabilities in SAP Customer Relationship Management module deserves attention. The number of SAP Security Notes for this module totals 393. This month, 3 Notes belong to this area, including an SQL Injection which allows stealing sensitive customer data.
SAP Security Notes – August 2017
1 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
3 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.7.
The most common vulnerability types is XSS.
Issues that were patched with the help of ERPScan
This month, several critical vulnerabilities identified by ERPScan’s researchers Vahagn Vardanyan and Vlad Egorov were closed by 4 SAP Security Notes.
Below are the details of the SAP vulnerabilities, which were identified by ERPScan team.
- An SQL Injection vulnerability in SAP CRM WebClient User Interface (CVSS Base Score: 6.3). Update is available in SAP Security Note 2450979. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
- Multiple vulnerabilities (Cross-site scripting and Information disclosure) in SAP SRM Live Auction Application (CVSS Base Score: 6.1). Update is available in SAP Security Note 2493099. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modification of displayed content. Moreover, an attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.), which will help to learn about a system and to plan further attacks.
- A Cross-site scripting vulnerability in SAP CRM IPC Pricing (CVSS Base Score: 6.1). Update is available in SAP Security Note 2481262. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
- A Open redirect vulnerability in SAP NetWeaver Logon Application (CVSS Base Score: 4.3). Update is available in SAP Security Note 2423540. An attacker can use an Open redirect vulnerability for redirecting a user to phishing or malicious sites without his or her knowledge. The vulnerability occurs because an application takes a parameter and redirects a user to the parameter value without any validation.
Focus on SAP CRM vulnerabilities
Customer Relationship Management (CRM) is among the most widespread and important business applications. Moreover, enterprises consider this software the most critical in terms of business processes – according to the ERP Cybersecurity Survey 2017 55% of respondents find CRM a most critical asset. It comes as no surprise taking into account that this module stores and process the essential business data – from list of customers to pricing information.
Unfortunately, this application also contain numerous security drawbacks, a total of 393 SAP Security Notes fixes different SAP CRM vulnerabilities. This month, 3 SAP Notes belong to the SAP CRM application area.
Nonetheless, not the number of issues, but their criticality and, what’s more important, business impact play a significant role in terms of the enterprise cybersecurity posture. For example, an SQL Injection vulnerability in SAP CRM WebClient User Interface (SAP Security Note 2450979) identified by ERPScan allows a remote attacker to conduct corporate espionage by sending a special request and steal all the customer data such as customer datasets, pricing, sales, or prospective bids.
About XSS Vulnerability in third-party library
In the time gap between SAP Security Day for July and August, the vendor released its SAP Security Note 2393021. Some in-house written SAP applications may be vulnerable to XSS in case developers are still using unpatched Adobe Flex Software Development Kit. The advisory states that SAP also “consumed the same SDK in our framework”, meaning SAP’s Web Dynpro Flex. In general, applications written using old versions of Adobe Flex SDK and Web Dynpro Flex are susceptible to the Cross-Site Scripting Vulnerability.
The issue was first identified in 2011 and the appropriate patch was released in March 2012. The vulnerability (CVE-2011-2461) allowed remote injecting arbitrary web script or HTML by the use of vectors related to the loading of modules from different domains.
As the issue affects a library, simply applying the fix would not be enough to get rid of the vulnerability. Applications which were written with the vulnerable libraries should be rebuilt using the patched version of SDK.
XSS is the most spread vulnerability affecting SAP applications (see the statistics below). SAP Cyber Security in Figures revealed that 20% of vulnerabilities belong to this type. This set of patches is not an exception, 5 of the closed issues are XSS, including 2 identified by ERPScan’s researchers.
Other critical issues closed by SAP Security Notes August
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2486657: SAP NetWeaver AS Java Web Container has a Directory Traversal vulnerability (CVSS Base Score: 7.7). An attacker can use a Directory traversal vulnerability to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
- 2376081: SAP Visual Composer 04s iviews has a Code Injection vulnerability (CVSS Base Score: 7.4). Depending on code, attackers can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
- 2381071: SAP BusinessObjects has an Cross-Site AJAX Requests vulnerability (CVSS Base Score: 7.3). An attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights. An attacker may use a cross-site scripting vulnerability to do so, or they can present a specially crafted link to a victim. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.