SAP has released the monthly critical patch update for September 2015. This patch update closes 20 vulnerabilities and 5 updates in SAP products, 16 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Missing Authorization Check. This month, two critical vulnerabilities found by ERPScan researchers Vahagn Vardanyan and Roman Bezhan were closed.
About Missing Authorization Check
Missing Authorization Check enables accessing a service without any authorization and using service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
According to a research titled Analysis of 3000 Vulnerabilities in SAP, missing authorization is the second most common issue in all SAP products and constitutes about 20%. Slightly more than 700 of such vulnerabilities have been closed in different SAP products (662 in SAP NetWeaver ABAP) since 2001.
Issues that were patched with the help of ERPScan
Below are the details of SAP vulnerabilities that were found by ERPScan researchers.
- An SQL Injection vulnerability in SAP Batch Processing (CVSS Base Score: 4.6). Update is available in SAP Security Note 2193389. An attacker can use SQL Injection with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations in a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands.
- A Cross-Site Scripting vulnerability in SAP Java Monitoring (CVSS Base Score: 4.3). Update is available in SAP Security Note 2176785. An attacker can use Cross-Site Scripting for injecting a malicious script into a page.
Reflected XSS requires the attacker to trick a user: they must make a user to follow a specially crafted link. As for stored XSS, a malicious script is injected and permanently stored in a page body. This way, a user is attacked without performing any actions.
The malicious script can access all cookies, session tokens, and other critical information stored by the browser and used for interaction with websites. An attacker can gain access to a user's session and learn business-critical information. In some cases, it is possible to achieve control over this information. XSS can be also used for unauthorized modification of displayed site content.
The most critical issues closed by SAP Security Notes September 2015
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2197397: SAP HANA Extended Application Services (XS) has a Buffer Overflow vulnerability (CVSS Base Score: 9.3). An attacker can use Buffer Overflow for injecting specially crafted code into working memory. The code will be executed by the vulnerable application under the same privileges that the application has. This can lead to taking complete control over an application, denial of service, command execution, and other attacks. In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 2197100: SAP function module SCTC_REFRESH_EXPORT_USR_CLNT has an OS Command Execution vulnerability (CVSS Base Score: 7.1). An attacker can use OS Command Execution for unauthorized execution of operating system commands. The commands will run with the same privileges as the service that executes them. An attacker can access arbitrary files and directories located in an SAP server file system, including application source code, configuration, and critical system files. They can obtain critical technical and business-related information stored in a vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.
- 2200806: SAP Foreign Trade has a Missing Authorization Check vulnerability (CVSS Base Score: 6.0). An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access. This can also lead to information disclosure, privilege escalation, and other attacks. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.