SAP has released the monthly critical patch update for December 2015. This patch update closes 26 vulnerabilities in SAP products (19 Patch Day Security Notes and 7 Support Package Security notes), 16 of which are high priority. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov, Mathieu Geli and Vahagn Vardanyan were closed.
The largest part of vulnerabilities closed by this update relates to the "other" type according to SAP’s blog post. This is quite typical for business applications such as SAP. Due to their uniqueness and complexity, there are much more uncommon vulnerabilities comparing to traditional software where, as our research Analysis of 3000 SAP Security notes revealed, configuration issues constitute only 2%. Last year we analyzed SAP Security Notes by type, and about 300 vulnerabilities of almost 3000 were defined as configuration issues and about 150 were uncategorized. Configuration and other unusual issues in SAP are 5 times more common than in traditional products, thus, a significant part of cybersecurity measures falls on shoulders of administrators.
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.
- An Authentication bypass vulnerability in SAP Mobile Platform SysAdminWebTool servlets (CVSS Base Score: 6.8). Update is available in SAP Security Note 2227855 (version of the note: 4). An attacker can use Authentication bypass vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to information disclosure and privilege escalation. Also, it can be exploited for remote file overwrite, denial of service, SMB relay attack, etc.
- An Implementation flaw vulnerability in SAP Log Viewer (CVSS Base Score: 4.6). Update is available in SAP Security Note 2240946 (version of the note: 3). Depending on a problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionaluty and increase system stability.
The most critical issues closed by SAP Security Notes December 2015
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2234226 (version of the note: 2): SAP TREX/BWA has an OS command execution vulnerability (CVSS Base Score: 7.5 ). An attacker can use this vulnerability to run operating system commands without authorization. Executed commands will run with the same privileges as the service that executes them. The attacker can also access arbitrary files and directories located in the SAP server filesystem, including application source code, configuration, and critical system files. They can obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2067570 (version of the note: 3): SAP BI Servers, security & CrystalReports viewing in BI platform has a denial of service vulnerability (CVSS Base Score: 7.1). An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent risks.
- 2227169 (version of the note: 3): SAP 3D Visual Enterprise Author, Generator and Viewer has a remote command execution vulnerability (CVSS Base Score: 6.8 ). An attacker can use Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run under the same privileges as the service that executed the command. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. They can obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2165583 (version of note: 7): SAP HANA has an incorrect system configuration vulnerability (CVSS Base Score: 6.6). SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place. This could endanger system availability, data confidentiality, and integrity. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.