Focus on SAP GUI Security – SAP Security Notes March 2017

On 14 of March 2017, SAP released its monthly set of SAP Security Notes consisting of 35 patches including ones that address SAP GUI vulnerabilities.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis would also be helpful for companies that provide SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing.

SAP Security Notes March 2017 in review

March batch of security patches includes 28 SAP Security Patch Day Notes and 7 Support Package Notes. 7 Notes are updates of the previously released Security Notes.

8 of the released SAP Security Notes have a High priority rating and 1 was rated as Hot news. The highest CVSS score of the vulnerabilities is 9.8.

SAP Security Notes Distribution by priority

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by stack

The most common vulnerability type is Cross-Site Scripting.

SAP Security Notes Distribution by vulnerability type

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.

2368082
Hot News High Medium Low
Basis Components 2319506
2418823
2407616
2405918
2416119
2318760
2372626
2332977
2333845
2335272
2417046
2418209
2372188
2433458
2366713
2280932
2406841
Defense Forces and Public Security 2391018 2381388
2378999
HANA 2424173 2429069 2424120 2426260
2428811
Business intelligence solutions 2386814
Financial Accounting 2417428
2345698
2367193
Enterprise Portal 2399804 2408100
2392509
Cross-Application Components 2360761 2185122

The most critical issues of SAP Security Notes March 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2424173: SAP HANA User Self-Service has a Missing Authorization Check vulnerability (CVSS Base Score: 9.8). An attacker can use a Missing Authorization Check vulnerability to access the service without authorization and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2429069: SAP HANA has a Session fixation vulnerability (CVSS Base Score: 8.8). An authenticated attacker can predict valid session IDs for concurrent users that are logged on to the system. Install this SAP Security Note to prevent the risks.
  • A Remote Command Execution vulnerability in SAP GUI for Windows (CVSS Base Score: 8.0). The update is available in SAP Security Note 2407616. An attacker can exploit a Remote Command Execution vulnerability for an unauthorized execution of commands remotely. Executed commands will run with the same privileges as the service that executed them.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. The exploits are already available in ERPScan Security Monitoring Suite.


Find out more about the implementation process of the SAP GUI Security patches.

Do you want more?

Subscribe me to your mailing list