The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.
1) SAP’s critical patch update for September fixes 19 vulnerabilities.
2) This update contains a record number of patches for missing authorization check vulnerabilities.
3) DBMS at risk. Several critical vulnerabilities in SAP ASE were discovered.
SAP Security Notes – September 2016
SAP has released the monthly critical patch update for September 2016. This patch update closes 19 vulnerabilities in SAP products including 14 SAP Security Patch Day Notes and 5 Support Package Notes. 7 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.
3 of the released SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 8.8.
The most common vulnerability type is Missing authorization check. Approximately 40% vulnerabilities in this update are missing auth check issues(twice more than the total number of 20%).
Missing authorization check in SAP
Missing Authorization Check vulnerability allows an attacker to access a service without any authorization procedure and use its functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
According to the recent SAP Security in figures. Global threat report, Missing Authorization is among the most common vulnerability types for SAP products. It constitutes approximately 20% of all closed SAP security issues. As for the end of 2015, 725 such issues were closed in all SAP products (for more details see the table below).
|In total||NW ABAP||NW J2EE||HANA||BOBJ||Frontend||Mobile||OTHER|
Issues that were patched with the help of ERPScan
This month, 1 critical vulnerability identified by ERPScan’s researcher Roman Bezhan was closed.
Below are the details of the SAP vulnerability, which was identified by ERPScan researcher.
- An Information disclosure vulnerability in SAP Guided Procedures (CVSS Base Score: 5.3). Update is available in SAP Security Note 2344524. An attacker can use Information disclosure vulnerability to reveal information (in this case, usernames), which will help to learn about a system and to plan further attack.
The impact of this vulnerability seems not so dangerous. However, there are at least 2 attack scenarios, and their execution does not require sophisticated skills. First, an attacker can bruteforce passwords for known usernames or just try to guess the right password by entering the most widespread ones. Secondly, an attacker can simply block the number of user accounts by entering wrong passwords several times (usually, according to SAP policy, 3-5 is the maximum password attempts). Without a doubt, both options are critical for business.
The most critical issues closed by SAP Security Notes September 2016 identified by other researchers
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2358986: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 8.8). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2353243: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2290548: SAP BI Launchpad has a DoS vulnerability (CVSS Base Score: 6.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody would be able to use this service, this fact negatively influences on business processes, system downtime and business reputation, as a result. Install this SAP Security Note to prevent the risks.
Vulnerabilities in SAP ASE
As you can see from the previous part, 2 of 3 the most critical vulnerabilities within this patch update affect SAP Adaptive Server Enterprise (ASE). It is an SQL database that uses a relational model. Usually, it stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers.
Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.