The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key findings

  • At the Gartner conference, the US, ERP security was listed as one of 2016 trends.
  • Today SAP released 36 vulnerabilities in SAP products, most of them are clickjacking. This patch update also contains fixes for several dangerous vulnerabilities.
  • Some of them pose significant risks. One of them affects utilities companies (more than 2000 of them run SAP), which use this industry-specific module. The second one can be exploited remotely and about 300 vulnerable services (namely,Adobe Interactive Forms) can be found by using an appropriate search request.

1. SAP Security Notes – July 2016

SAP has released the monthly critical patch update for July 2016. This patch update closes 36 vulnerabilities in SAP products including 10 SAP Security Patch Day Notes and 26 Support Package Notes. 3 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 2 of all the notes are updates to previously released Security Notes.

2 of all released SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 9.9.

SAP Security Notes July 2016 by priority

The most common vulnerability type is Clickjacking.

SAP Security Notes July 2016 by type

1.1 About Clickjacking Vulnerability

Clickjacking was discovered by researchers Jeremiah Grossman and Robert Hansen in 2008. This vulnerability allows an attacker to “hijack” clicks by using multiple transparent or opaque layers. A user is tricked into clicking a button or a link on another page when they are intending to click on the top level page.

Although the vulnerability type is 8 years old and can be fixed without difficulty, it is quite common and threatens various websites and domains. One of the ways of preventing clickjacking attacks is using a proper X-Frame-Options HTTP. This measure doesn’t require a lot of work from a vendor of a web-based application. However, it is only in 2016 when SAP paid attention to this vulnerability. In 2001-2015, SAP released only two SAP Security Notes addressing the issue, while this monthly patch update contains 24 fixes for this vulnerability.

1.2 Issues patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Dmitry Yudin, Mathieu Geli, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Sybase products (CVSS Base Score: 7.5). Update is available in SAP Security Note 2330839. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
  • A Buffer overflow vulnerability in SAP Startup Service (CVSS Base Score: 6.5). Update is available in SAP Security Note 2295238. An attacker can use a Buffer overflow vulnerability to inject specially crafted code into a working memory. The code will be executed by a vulnerable application. Executed commands will run with the same privileges as a service that executed the command. This can lead to taking complete control of an application, denial of service, command execution, and other attacks. In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for a privilege escalation attack. Speaking about denial of service, terminating a process of a vulnerable component is possible.
  • A Denial of service vulnerability in SAP Enterprise Portal: Federated Portal Network (CVSS Base Score: 4.9). Update is available in SAP Security Note 2315788. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, this fact negatively affects business processes, system downtime, and, as a result, business reputation.

1.3 Other critical issues closed by SAP Security Notes July 2016

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2301837: SAP Solution Manager has a Code injection vulnerability (CVSS Base Score: 9.9). Depending on the code, attacker can inject and run their own code, obtain additional information, which should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
  • 2245398: Adobe Interactive Forms has a Java Deserialization vulnerability (CVSS Base Score: 7.3).
  • 2321240: SAP HANA Enterprise has a Missing authorization check vulnerability (CVSS Base Score: 5.5 ). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality that has a restricted access. This can lead to an information disclosure, privilege escalation and other attacks. Install this SAP Security Note to prevent risks.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

2. Threats

2.1 Utilities companies at risk

SAP Security Note 2339506 addresses a clickjacking vulnerability in the SAP Utility Customer E-Services module, a web application installed on SAP NetWeaver AS JAVA. As a web application, the service is available from the Internet. Although the Utility Customer E-Services module is not included in a default SAP system, ERPScan recommends that utility companies take notice of this patch. It’s worth mentioning that SAP is rather widespread in the utility industry. According to rough estimates collected by a third party, approximately 2200 such companies run SAP.

2.2 JAVA deserialization vulnerability affects SAP

SAP Security Note 2245398 addresses a JAVA deserialization vulnerability in Adobe Interactive Forms. The deserialization vulnerability was disclosedin November 2015 and patched by SAP in time. Unfortunately, the patch prevented a remote code execution only, a DoS attack was possible. This monthly update fixes one of the ways by which DoS attack against JAVA can be conducted. This attack is remotely exploitable, and the service is exposed to the Internet, which means it can be found by using an appropriate Google search request. Our research revealed that at least 300 such services are available online. ERPScan recommends that companies using Adobe Interactive Forms pay attention to the patch.

3. SAP Cybersecurity breaking news

At the Gartner conference, ERP security was listed as one of the “beyond 2016” trends. A speaker delivered a short talk on the topic, emphasizing the fact of ERP security importance, referring also to US-CERT alert.

SAP customers as well as companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.