On the 11th of July 2017, SAP released its monthly set of SAP Security Notes consisting of 23 patches.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis comes in handy for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .
SAP Security Notes July 2017 in review
July’s set of security patches includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes). 5 of them are updates to previously released Security Notes.
4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.
Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.
The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table demonstrating a distribution between priority and application area.
|POS (Industry solution – Retail)||2476601|
|Customer Relationship Management||2478964
|Business intelligence solutions||2458021
|Governance, Risk and Compliance||2453640|
|SAP NetWeaver Master Data Management||2424742|
|Supply Chain Management||1920522|
|Public Sector Management||2184221|
|Logistics – General||2088593|
|Cross-Application Basis Components||2185122|
|SAP Business Information Warehouse||2389764|
|Industry Solutions -Utilities||2253026|
The most critical issues of SAP Security Notes July 2017
The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
- A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
- 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on a code type, attackers can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
SAP Point of Sale (POS) patching process
The most severe vulnerability of SAP Security Notes – July 2017 affect SAP POS, a client-server point-of-sale solution from the German software maker. The missing authorization checks allow an attacker to:
- Read/write/delete files stored on SAP POS server;
- Shutdown the Xpress Server application;
- Monitor all content displayed on a receipt window of a POS.
The damage in case of successful exploitation makes it utmost to apply the patch as soon as possible. ERPScan research team provides a guideline on how to install the SAP POS Patch.
1. First of all, check the version of the installed SAP POS Xpress Server.
We have SAP POS Xpress Server 10.3.0 SP11 Build 1113.
2. Go to SAP Security Note 2476601 and download the patch (all files).
3. Stop the server by clicking on the button Stop server.
4. Extract the downloaded files and put them to SAP POS Xpress Server, for example – C:\Program Files (x86)\SAP\Retail Systems\Xpress Server
Also, copy the extracted xpscmd32.dll, xpscmd32.pdb, tmxutl32.dll and tmxutl32.pdb files to “C:\Program Files (x86)\Common Files\SAP Shared\Retail Systems”
5. Set a new parameter BACKOFFICEIPADDRESS if the Back Office Applications are not hosted at the same system as the Xpress Server.
To do so, you have to add the new parameter in a file local.ini BACKOFFICEIPADDRESS = [ip].
The file is located here: C:\Program Files (x86)\SAP\Retail Systems\Xpress Server\Parm\
6. Start the server – Click on the button Start server and check the version.
SAP POS Xpress Server was updated successfully to the version 10.3.0 SP11 Build 1171