The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.
- The first set of SAP Security Notes in 2018 consists of 10 patches with the majority of them rated medium.
- Missing authorization check is the most common vulnerability type this month.
SAP Security Notes – January 2018
SAP has released the monthly critical patch update for January 2018. This patch update closes 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes). 3 of all the patches are updates to previously released Security Notes.
5 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
None of the released SAP Security Notes received a High priority rating; one was assessed at Low priority rating.
The most common vulnerability type is Missing authorization check.SAP users are recommended to implement security patches as they are released.
Critical issues closed by SAP Security Notes in January
The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:
- 2525392: SAP Knowledge Provider has an ABAP code injection vulnerability (CVSS Base Score: 6.5 CVE-2018-2363). Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack. Install this SAP Security Note to prevent the risks.
- 2507934: SAP Solution Manager 7.2 has an Improper Role Authorizations vulnerability (CVSS Base Score: 6.3 CVE-2018-2361). Perpetrators can use Improper Role authorizations redundant right to edit all tables on the server. This can lead to compromising data. Install this SAP Security Note to prevent the risks.
- 2523961: SAP Startup Service has a Missing Authentication check vulnerability (CVSS Base Score: 5.8 CVE-2018-2360). An attacker can use Missing authorization check vulnerability for accessing a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.