SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the SAP HANA security area. The most popular vulnerability is Cross Site Scripting (XSS). This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin, Vahagn Vardanyan, Roman Bezhan were closed.
We also would like to mention significant changes both in SAP security market and SAP security awareness that took place this month. At the BlackHat's Pwnie Awards, on August 6, a vulnerability in SAP Compression algorithm won the first prize for Best Server-Side Vulnerability. Several security associations (ISACA, DSAG, and EAS-SEC) updated and released their SAP security guidance documents and tutorials.
Issues that were patched with the help of ERPScan
Below are the details of SAP vulnerabilities that were found by ERPScan researchers.
- An XML eXternal Entity vulnerability in SAP Mobile Platform 2.3 (CVSS Base Score: 4.9). Update is available in SAP Security Note 2152227. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system. More about SAP Mobile platform security: Attacking SAP Mobile
- An XML eXternal Entity vulnerability in SAP NetWeaver Portal (CVSS Base Score: 4.9). Update is available in SAP Security Note 2168485. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
- An XSS vulnerability in SAP Afaria 7 (CVSS Base Score: 4.3). Update is available in SAP Security Note 2152669. An attacker can modify displayed application content without authorization and steal authentication data (cookie). For more information about XSS vulnerabilities in SAP systems, please follow the link.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2037304: SAP ST-P has a Remote Command Execution vulnerability (CVSS Base Score: 8.5). An attacker can use Remote Command Execution to run commands remotely. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.
- 2169391: SAP NetWeaver AFP Servlet has a Reflected File Download vulnerability (CVSS Base Score: 7.5). Reflected File Download (RFD) is a web attack vector that enables attackers to gain complete control over a victim's machine. In an RFD attack, the user follows a malicious link to a trusted domain resulting in a file download from that domain. It is recommended to install this SAP Security Note to prevent risks.
- 2175928: SAP HANA has a Running Process Remote Termination vulnerability (CVSS Base Score: 6.8). An attacker can use this vulnerability to terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 2165583: SAP HANA has an incorrect system configuration vulnerability (CVSS Base Score: 6.6). SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place. This could endanger system availability, data confidentiality and integrity. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.