SAP Cyber Threat Intelligence report – October 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • Today SAP has released its monthly update consisting of 20 patches with the majority of them rated medium.
  • A security note addressing an Information Disclosure in SAP BusinessObjects (CVE-2018-2471) that can lead to business information leakage has received “Hot News” priority rating.
  • The most common vulnerability type is Information Disclosure.
  • SAP NetWeaver ABAP platform has 40% of all vulnerabilities fixed this month.

SAP Security Notes – October 2018

SAP has released the monthly critical patch update for October 2018. This patch update closes 20 SAP Security Notes (15 SAP Security Patch Day Notes and 5 Support Package Notes). 6 of all the patches are updates to previously released Security Notes.

Below is a chart illustrating the SAP security notes distribution by priority.
SAP Security Notes Distribution by Priority (May 2018 – October 2018)

This month, Information Disclosure is the largest group in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – October 2018

This month, 40% of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows:

Affected Platforms – October 2018

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Information Disclosure in SAP BusinessObjects

SAP BusinessObjects BI (SAP BO, or BOBJ) is an analytics business intelligence (BI) front-end platform. Its reporting applications allow business users to search and analyze data as well as to visualize it and perform predictive analytics. The data is not stored at the application level, but is integrated.

The execution of certain special CMS queries on the Central Management Server bypassing authorization checks can result in information leakage.

Central Management Service is a process running as a part of the BusinessObjects Enterprise servers, including the CMS database, authenticating users, storing access rights, etc. The CMS is the heart of a BusinessObjects Enterprise system; therefore, the leakage may be critical. An attack can be carried out without any rights in the systems by an anonymous user.

Critical issues closed by SAP Security Notes in October

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

  • 2654905: SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2699726: Gardener has a Missing network isolation vulnerability (CVSS Base Score: 8.5 CVE-2018-2475). Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Due to missing network isolation a shoot’s apiserver can access services/endpoints in the private network of its corresponding seed cluster. Combined with other minor Kubernetes security issues, the missing network isolation theoretically can lead to compromise other shoot or seed clusters in the Gardener context. The issue is rated high due to the high impact of a potential exploitation in the Gardener context. In the Gardener context, missing network isolation can enable an attacker who is admin in a shoot cluster to compromise the corresponding seed cluster or other shoot clusters which are controlled by this seed cluster. Install this SAP Security Note to prevent the risks.
  • 2674215: SAP Plant Connectivity (PCo) has a Denial of service (DOS) vulnerability (CVSS Base Score: 8.2 NIST CVE-2018-12585 NIST CVE-2018-12586 ). An attacker can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Do you want more?

Subscribe me to your mailing list