Focus on SAP GUI Security – SAP Security Notes March 2017
On 14 of March 2017, SAP released its monthly set of SAP Security Notes consisting of 35 patches including ones that address SAP GUI vulnerabilities.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis would also be helpful for companies that provide SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing.
SAP Security Notes March 2017 in review
March batch of security patches includes 28 SAP Security Patch Day Notes and 7 Support Package Notes. 7 Notes are updates of the previously released Security Notes.
8 of the released SAP Security Notes have a High priority rating and 1 was rated as Hot news. The highest CVSS score of the vulnerabilities is 9.8.
Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.
The most common vulnerability type is Cross-Site Scripting.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.
|Defense Forces and Public Security||2391018||2381388
|Business intelligence solutions||2386814|
The most critical issues of SAP Security Notes March 2017
The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2424173: SAP HANA User Self-Service has a Missing Authorization Check vulnerability (CVSS Base Score: 9.8). An attacker can use a Missing Authorization Check vulnerability to access the service without authorization and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2429069: SAP HANA has a Session fixation vulnerability (CVSS Base Score: 8.8). An authenticated attacker can predict valid session IDs for concurrent users that are logged on to the system. Install this SAP Security Note to prevent the risks.
- A Remote Command Execution vulnerability in SAP GUI for Windows (CVSS Base Score: 8.0). The update is available in SAP Security Note 2407616. An attacker can exploit a Remote Command Execution vulnerability for an unauthorized execution of commands remotely. Executed commands will run with the same privileges as the service that executed them.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. The exploits are already available in ERPScan Security Monitoring Suite.
Find out more about the implementation process of the SAP GUI Security patches.