The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.
- This set of SAP Security Notes consists of 33 patches with the majority of them rated medium.
- SAP Point of Sale vulnerabilities are still in the spotlight. This time, the vendor released one SAP Security Note and updated two patches to enhance its POS solution security
- The software maker also announced that it will participate in CVE Numbering Authority program by the end of 2017.
SAP Security Notes – September 2017
SAP has released the monthly critical patch update for September 2017. This patch update includes 33 SAP Security Notes Notes (23 SAP Security Patch Day Notes and 10 Support Package Notes). 9 of all the patches are updates to previously released Security Notes.
17 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
3 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.
The most common vulnerability types is XSS.
SAP POS is a client-server point-of-sale solution for Retail solution portfolio developed by SAP, which serves 80% of the retailers in the Forbes Global 2000.
SAP POS includes the elements depicted below:
Researchers found the vulnerabilities and reported them to the vendor in April 2017. SAP POS Xpress Server didn’t perform any authentication check for critical functionality that requires user identity. Administrative and other privileged functions were accessible without any authentication procedure, and anyone who penetrated into the network was able to gain an unrestricted control of the whole POS system – for example, a malefactor could change prices or set discounts. You can find more information on the SAP POS vulnerabilities here.
SAP released the first patch in July, and ERPScan researchers examined it afterward. It turned out that by exploiting another vulnerability, the newly implemented authorization check could be bypassed. The failed patch was reported to the vendor on 15-th of August, and SAP released a patch in less than a week, on the 18-th of August. Missing encryption and authentication were added to SAP Point of Sale (POS) Xpress Server communication channel.
Now, in September, the patches (2476601 and 2520064) were updated.
By the way, there is additional issue lying in the fact that the encryption for a Back office accidentally was not added, therefore Store Manager crashes after entering credentials. To solve the drawback, SAP released additional Note (2529966).Another security vulnerability affecting SAP POS was closed in September 2017. It is Hard-coded Credentials in SAP Point of Sale Store Manager (Note 2528596) leading to exposure of resources or functionality to unintended users.
Organizations are encouraged to implement the appropriate patches as soon as possible to protect their business-critical assets.
SAP for Retail portfolio is not the only industry solution that lacks authorization checks. For example, Missing Authentication check vulnerability in SAP’s Utility module (2432578) was also closed this month.
Issues that were patched with the help of ERPScan
This month, one critical vulnerability identified by ERPScan’s researcher Nursultan Abubakirov was closed.
Below are the details of the SAP vulnerabilities, which were identified by ERPScan team.
- An Information Disclosure vulnerability in SAP TREX/BWA (CVSS Base Score: 5.5). Update is available in SAP Security Note 2489196. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks. Please find more information about SAP TREX patching by the link.
Other critical issues closed by SAP Security Notes September
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2367269: Electronic Ledger Management for Turkey 1.0 has a Cross-Site Request Forgery (CSRF/XSRF) vulnerability (CVSS Base Score: 7.6). An attacker can use a Cross-site request forgery vulnerability to exploit an authenticated user’s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. An attacker may use a cross-site scripting vulnerability to do this, or he can send a specially crafted link to a victim user. Install this SAP Security Note to prevent the risks.
- 2492658: SAP NetWeaver Java Workflow (JWF) has an XML external entity (XXE) vulnerability (CVSS Base Score: 6.9). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. Install this SAP Security Note to prevent the risks.
- 2507798: SAP E-Recruiting has a Authentication bypass vulnerability (CVSS Base Score: 6.5). An attacker can use Authentication bypass vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation. Also, it can be exploited for remote file overwrite, denial of service, SMB relay attack, etc. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
With this patch update, SAP has also introduced several enhancements to its security program.
First, the vendor is planning to become a CVE Numbering Authority by the end of 2017. CVE allows publicly disclosing a vulnerability with an already assigned CVE ID, control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID from them. SAP believes that using CVE as a mechanism to disclose patches to vulnerabilities reported by external sources, it will facilitate faster patch consumption and transparency for all SAP Customers.
Secondly, with the security note 2408073 released among today’s security updates, SAP Customers introduces Digitally Signed SAP Notes. It prevents cases when files are maliciously modified and the customer unknowingly upload the malicious SAP Notes into their ABAP systems