Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

SAP Security Notes December 2014 – Review

SAP released its monthly critical patch update for December 2014. This month, four critical vulnerabilities found by ERPScan researchers George Nosenko and Vahagn Vardanyan were closed.

The most critical issues

Our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. the companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical ones of this update can be patched by the following SAP Security Notes:

  • 1838854: SAP ABAP Report has a Missing Authorization Check vulnerability. An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use the service functionality that has a restricted access. This can lead to the information disclosure, the privilege escalation, and other attacks. It is recommended to install this SAP Security Note to prevent risks.
  • 1987344: SAP Online Corr. Support has an ABAP code injection vulnerability. Depending on the code, an attacker can inject and run their own code, obtain the additional information that should not be displayed, modify or delete any data, modify the system output, create new users with higher privileges, control the system behavior. They can also potentially escalate privileges by executing malicious code or even perform a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
  • 2055411: SAP E-Commerce/Web Channel has an Information disclosure vulnerability. An attacker can use an Information disclosure vulnerability for revealing the additional information (system data, debugging information, etc) which will help them learn about a system and plan further attacks. It is recommended to install this SAP Security Note to prevent risks.

Issues that were patched with the help of ERPScan

The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.

  • A Remote Command Execution vulnerability in SAP ABAP VM. The update is available in SAP Security Note 2059734. An attacker can use a Remote Command Execution vulnerability to execute commands remotely without authorization. Executed commands will run with the same privileges of a service that executed a command. An attacker can access arbitrary files and directories located in an SAP server filesystem, including the application source code, the configuration, and critical system files. They can obtain the critical technical and business-related information stored in a vulnerable SAP system.
  • A Remote Command Execution vulnerability in SAP Spool System. The update is available in SAP Security Note 2061271. An attacker can use a Remote Command Execution vulnerability to execute commands remotely without authorization. Executed commands will run with the same privileges of a service that executed a command. An attacker can access arbitrary files and directories located in an SAP server filesystem, including the application source code, the configuration, and critical system files. They can obtain the critical technical and business-related information stored in a vulnerable SAP system.
  • A Directory Traversal vulnerability in SAP IM Summarization Reporting. the update is available in SAP Security Note 2077260. An attacker can use Directory Traversal to access arbitrary files and directories located in an SAP server filesystem including the application source code, the configuration and system files. They can obtain the critical technical and business-related information stored in a vulnerable SAP system.
  • A Directory Traversal vulnerability in SAP Specification 2000. The update is available in SAP Security Note 2056333. An attacker can use Directory Traversal to access arbitrary files and directories located in an SAP server filesystem including the application source code, the configuration and system files. They can obtain the critical technical and business-related information stored in a vulnerable SAP system.

It is highly recommended to patch all those issues to prevent business risks.

SAP traditionally published acknowledgments to the security researchers of ERPScan on their website. Advisories with technical details will soon be published at ERPScan.com. Checks for the issues are already available in ERPScan Security Monitoring Suite.

Do you want more?

Subscribe me to your mailing list