On 14 of February 2017, SAP released its monthly set of SAP Security Notes consisting of 22 patches.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .
SAP Security Notes February 2017 in review
February’s batch of security patches includes 15 SAP Security Patch Day Notes and 7 Support Package Notes. 4 Notes are updates to previously released Security Notes.
7 of the patches were rated High risk, the remaining 15 were assessed Medium priority. The highest CVSS score of the vulnerabilities is 8.5.
Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.
The most common vulnerability type is Missing Authorization Check.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, when it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.
|SAP Business Information Warehouse||2386873|
|Governance, Risk and Compliance||2413716|
|Business intelligence solutions||2292351
|Sales and Distribution||2355398
|Customer Relationship Management||2347077|
The most critical issues closed by SAP Security Notes February 2017
The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2408892: SAP Netweaver Data Orchestration has a Missing Authorization Check vulnerability (CVSS Base Score: 8.5). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2413716: SAP GRC Access Control EAM has an Implementation flaw vulnerability (CVSS Base Score: 8.2). An implementation flaw can cause unpredictable behaviour of the system, troubles with stability and safety. Install this SAP Security Note to prevent the risks.
- 2391018: SAP 3D Visual Enterprise Author, Generator and Viewer has a Memory Corruption vulnerability (CVSS Base Score: 8). An attacker can use a Buffer overflow vulnerability to inject a specially crafted code into a working memory that will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and other attacks. Install this SAP Security Note to prevent the risks.
- Multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3). Update is available in SAP Security Note 2407694. An attacker can use a Denial of service vulnerability to crash a process of the vulnerable component. For this time, nobody would be able to use this service, which negatively influences business processes, system downtime, and, as a result, business reputation.
More about these SAP HANA vulnerabilities
More about SAP HANA Patching Process
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.