SAP released its monthly critical patch update for June 2015 which closes a lot of vulnerabilities in SAP products. The most common vulnerability is Missing Authorization Check. This month, three critical vulnerabilities found by ERPScan researchers Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.
Issues that were patched with the help of ERPScan
Below there are the details ofthe SAP vulnerabilities that were found by ERPScan researchers.
- An XML eXternal Entity vulnerability in SAP Mobile Platform on-premise (CVSS Base Score: 5.5). the update is available in SAP Security Note 2159601. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. An attacker will get an unauthorized access to the OS file system.
- A Hardcoded Credentials vulnerability in SAP Cross-System Tools (CVSS Base Score: 3.6). The update is available in SAP Security Note 2059659. An attacker can use hardcoded credentials for an unauthorized access and perform various actions in the system. In addition, it is likely that the code was implemented as a backdoor into the system.
- A Hardcoded Credentials vulnerability in SAP Data Transfer Workbench (CVSS Base Score: 2.1). The update is available in SAP Security Note 2057982. An attacker can use the hardcoded credentials foran unauthorized access and perform various actions in the system. In addition, it is likely that the code was implemented as a backdoor into the system.
The most critical issues closed by SAP Security Notes June 2015
Our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. the companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2151237: SAP GUI for Windows has a Buffer Overflow vulnerability (CVSS Base Score: 9.3). An attacker can use Buffer Overflow for injecting specially crafted code into the working memory, which will be executed by the vulnerable application under the privileges of that application. This can lead to the attacker taking the complete control over the application, the denial of service, the command execution, and other attacks. In case of command execution, an attacker can obtain the critical technical and business-related information stored in the vulnerable SAP-system or escalate their own privileges. As for denial of service, the process of the vulnerable component may be terminated. For this time, nobody will be able to use this service, which negatively influences business processes, the system downtime, and, consequently, the business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 2129609: SAP EP JDBC Connector has an SQL Injection vulnerability (CVSS Base Score: 6.5). An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify the sensitive information from a database, execute administrative operations in a database, destroy the data or make it unavailable. In some cases, an attacker can access the system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
- 1997734: SAP RFC runtime has a Missing Authorization Check vulnerability (CVSS Base Score: 6.0). An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use the service functionality that has restricted access. This can lead to the information disclosure, the privilege escalation, and other attacks. It is recommended to install this SAP Security Note to prevent risks.
- 2163306: SAP CommonCryptoLib and SAPCRYPTOLIB are vulnerable to FREAK (CVE-2015-0204, CVSS Base Score: 5.0). It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use the weakened encryption, which the attacker can break to steal or manipulate the sensitive data. All the attacks on this page assume a network adversary (i.e. a Man-in-the-Middle) to tamper with TLS handshake messages. The typical scenario to mount such attacks is to tamper with the Domain Name System (DNS), for example via DNS rebinding or the domain name seizure. This attack targets a class of deliberately weak export cipher suites. It is recommended to install this SAP Security Note to prevent risks.
Leran more about the FREAK vulnerability:
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.