SAP has released the monthly critical patch update for November 2015. This patch update closes 23 vulnerabilities in SAP products (15 Patch Day Security Notes and 8 Support Package Security notes), 13 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Code injection. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov and Mathieu Geli were closed.
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.
- A Remote termination of running processes vulnerability in SAP Plant Connectivity (CVSS Base Score: 7.1). Update is available in SAP Security Note 2238619. An attacker can use this vulnerability to terminate a process of vulnerable component. During that period, nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
- Use of Base64 and DES to encrypt passwords in SAP xMII (CVSS Base Score: 2.1). Update is available in SAP Security Note 2240274. Base64 and DES are inherently insecure algorithms. A potential attacker will decrypt a password if he gets access to it.
Why vulnerabilities in SAP xMII and SAP PCo are critical?
The fact that different SAP applications are highly interconnected not only between each other but with manufacturing execution systems, plant floor systems, laboratory information management systems, and others makes them an attractive target for cybercriminals. The vulnerabilities discovered by ERPScan’s researchers affect applications that are a kind of bridge between the industrial and the ERP worlds.
SAP Plant Connection (SAP PCo) is a solution designed to exchange data between an SAP system and the industry-specific data sources of different manufacturers, such as process control systems, plant historian systems, and SPC systems.
SAP xMII, or SAP Manufacturing Integration and Intelligence, provides the direct connection between plant floor and business operating systems. It consists of two components: manufacturing integration and manufacturing intelligence.
Let’s look at how it works. SAP’s Business applications collect data about critical processes via SAP xMII (Manufacturing Integration and Intelligence). SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes.
These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems. For example, an attack that is to be demonstrated at the BlackHat conference allows cybercriminals to gain access to devices that control such processes as Oil and Gas separation, Burner Management, Fiscal Metering, and Tank Management.
The most critical issues closed by SAP Security Notes November 2015
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2197100: SAP SCTC_REFRESH_EXPORT_USR_CLNT Function Module has an OS command execution vulnerability (CVSS Base Score: 7.1). An attacker can use this vulnerability to run operating system commands without authorization. Executed commands will run with the same privileges as the service that executes them. The attacker can also access arbitrary files and directories located in the SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2221082: SAP WEBCUIF and CRMUIF has a Cross-site request forgery vulnerability (CVSS Base Score: 6.8). An attacker can use a Cross-site request forgery vulnerability to exploit an authenticated user’s session by sending a request containing a certain URL and specific parameters. A function will be executed with the authenticated user’s rights. To do this, an attacker may use a cross-site scripting vulnerability or he can send a specially crafted link to a victim. Install this SAP Security Note to prevent risks.
- 2001109:SAP Business Intelligence Authentication has an Information disclosure vulnerability (CVSS Base Score: 6.8). An attacker can use this vulnerability to reveal additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.