SAP Note Security Analysis – January 2016
SAP has released the monthly critical patch update for January 2016. This patch update closes 23 vulnerabilities in SAP products (including ones closed after the second Tuesday of the previous month and before the second Tuesday of this month). Among them, there are 20 Patch Day Security Notes and 3 Support Package SAP notes. 13 of these SAP Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 6.4.
Most of the discovered vulnerabilities belong to JAVA security, and 4 relate to the SAP HANA Security area.
The most common vulnerability is Cross Site Scripting.
This month, five critical vulnerabilities found by ERPScan researchers Mathieu Geli and Vahagn Vardanyan were closed.
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.
- Log Injection and Denial of service vulnerabilities in SAP HANA Extended Application Services Classic (XS) (CVSS Base Score: 5.0). Update is available in SAP Security Note 2241978 (version of the SAP Note: 2). An unauthenticated attacker can create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function. This allows forging additional entries in the trace files of the XS process and thus consuming disk space of the HANA system. Also, the attacker can use a denial of service vulnerability to terminate processes of the vulnerable component. During this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
- A Cross-site scripting vulnerability in SAP RWB (CVSS Base Score: 4.3). Update is available in SAP Security Note 2206793 (version of the SAP note: 2). An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s white paper.
- A Cross-site scripting vulnerability in SAP PMI (CVSS Base Score: 4.3). Update is available in SAP Security Note 2234918 (version of the note: 2). An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
- An Information disclosure vulnerability in SAP User Management Engine (CVSS Base Score: 3.5). Update is available in SAP Security Note 2191290 (version of the note: 3). An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks.
The most critical issues closed by SAP Notes in January 2016
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2246277 (version of the note: 2): SAP on ORACLE database has an Implementation flaw vulnerability (CVSS Base Score: 6.4 ). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase the system stability. Install this SAP Security Note to prevent risks.
- 2248735 (version of the note: 3): SAP System Administration Assistant has an OS command execution vulnerability (CVSS Base Score: 6.0). OS command execution vulnerability allows an attacker to run arbitrary commands on the target OS. The commands will run with the same privileges as the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration and critical system files. It allows them to obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2233550 (version of the note: 12): SAP HANA Database has an Encryption issues vulnerability (CVSS Base Score: 5.8 ). The communication encryption in SAP HANA multi-tenant database container feature does not work as expected. Install this SAP Security Note to prevent risks.
It is highly recommended to implement SAP Notes for all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.