Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

SAP Security Notes July 2017

On the 11th of July 2017, SAP released its monthly set of SAP Security Notes consisting of 23 patches.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis comes in handy for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .

SAP Security Notes July 2017 in review

July’s set of security patches includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes). 5 of them are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by stack

The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table demonstrating a distribution between priority and application area.

Hot News High Medium Low
POS (Industry solution – Retail) 2476601
Customer Relationship Management 2478964
1568213
Basis Components 2442993
2416119
1854252
2142551 2478377
2459319
Business intelligence solutions 2458021
2409262
2398144
Governance, Risk and Compliance 2453640
SAP NetWeaver Master Data Management 2424742
Supply Chain Management 1920522
Financials 2100926
Public Sector Management 2184221
Financial Services 2218598
Enterprise Portal 2158791
Logistics – General 2088593
Cross-Application Basis Components 2185122
SAP Business Information Warehouse 2389764
Industry Solutions -Utilities 2253026

The most critical issues of SAP Security Notes July 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on a code type, attackers can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.

SAP Point of Sale (POS) patching process

The most severe vulnerability of SAP Security Notes – July 2017 affect SAP POS, a client-server point-of-sale solution from the German software maker. The missing authorization checks allow an attacker to:

  • Read/write/delete files stored on SAP POS server;
  • Shutdown the Xpress Server application;
  • Monitor all content displayed on a receipt window of a POS.

The damage in case of successful exploitation makes it utmost to apply the patch as soon as possible. ERPScan research team provides a guideline on how to install the SAP POS Patch.

1. First of all, check the version of the installed SAP POS Xpress Server.

We have SAP POS Xpress Server 10.3.0 SP11 Build 1113.

SAP POS Patching - File name

2. Go to SAP Security Note 2476601 and download the patch (all files).

3. Stop the server by clicking on the button Stop server.

4. Extract the downloaded files and put them to SAP POS Xpress Server, for example – C:\Program Files (x86)\SAP\Retail Systems\Xpress Server

SAP POS Patching - Copy file

Also, copy the extracted xpscmd32.dll, xpscmd32.pdb, tmxutl32.dll and tmxutl32.pdb files to “C:\Program Files (x86)\Common Files\SAP Shared\Retail Systems”

5. Set a new parameter BACKOFFICEIPADDRESS if the Back Office Applications are not hosted at the same system as the Xpress Server.

To do so, you have to add the new parameter in a file local.ini BACKOFFICEIPADDRESS = [ip].

The file is located here: C:\Program Files (x86)\SAP\Retail Systems\Xpress Server\Parm\

6. Start the server – Click on the button Start server and check the version.

SAP POS Patching - Start server

SAP POS Xpress Server was updated successfully to the version 10.3.0 SP11 Build 1171

Do you want more?

Subscribe me to your mailing list