Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

SAP vulnerabilities highlighted in many reports such as HP Cyber Risk Report 2015

Recently, HP has published their yearly Cyber Risk Report 2015. Although there are many common things such as growing number of ATM and IOT Security events covered in the paper, we have found out some parts related to business application security, which we would like to share with our readers, customers and partners.

According to the report, HP Zero Day Initiative was busy coordinating the disclosure and remediation of over 400 high-severity vulnerabilities in 2014, 24 of which affected SAP Products. So, top vendors for the number of disclosures are the following: 1. Microsoft; 2.Hewlett-Packard; 3. Advantech; 4. SAP; 5. Apple.

ZDI was always in charge of publishing vulnerabilities in SAP, but this year is the first when the number of SAP vulnerabilities became so significant.

According to the ZDI Report:

In 2013 there were a number of SCADA vulnerabilities, but 2014 marks the first year where an SCADA vendor is among the top vendors with vulnerabilities disclosed against its products. Advantech focuses on automation controllers, industrial control products, and single board computers. SAP is on the list due to an audit ZDI analysts conducted against one of its products, which yielded a large number of findings.
 

The main idea is that we are speaking not only about the number of vulnerabilities (although it is quite big) but about the criticality of the vulnerabilities, as the average CVSS of identified SAP issues is 7.7 and the maximum CVSS is 9.5.

Affected SAP Products include:

 
  • SAP SQL Anywhere (4 vulnerabilities with average CVSS 9)
  • SAP Sybase ESP (18 vulnerabilities with average CVSS 7,5)
  • SAP Crystal Reports (2 vulnerabilities with average CVSS 6.8)
   

Detailed information about identified vulnerabilities you can find in the table below:

Product Vulnerability CVSS Date
SAP SQL Anywhere SAP SQL Anywhere .NET Data Provider Malformed Integer Stack Buffer Overflow Code Execution Vulnerability 9.5 12.09.2014
SAP SQL Anywhere SAP SQL Anywhere .NET Data Provider REPLICATE Function Heap Overflow Code Execution Vulnerability 8.5 12.09.2014
SAP SQL Anywhere SAP SQL Anywhere .NET Data Provider SPACE Function Heap Overflow Code Execution Vulnerability 8.5 12.09.2014
SAP SQL Anywhere SAP SQL Anywhere .NET Data Provider Column Alias Stack Buffer Overflow Code Execution Vulnerability 9.5 12.09.2014
SAP Crystal Reports SAP Crystal Reports Connection String Processing Double Free Remote Code Execution Vulnerability 6.8 09.03.2014
SAP Crystal Reports SAP Crystal Reports Datasource Stack Buffer Overflow Remote Code Execution Vulnerability 6.8 09.03.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse ConnectionType.getConnection Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse ConnectionType.isInput Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getSampleRow Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getFieldTypes Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getFieldNames Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.setParams Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.destroy Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.dispose Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getTableNames Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.setScanDepth Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP 0Day) SAP Sybase ESP esp_parse Connection.canDiscover Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getError Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.reset Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getErrors Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse ConnectionType.getName Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse ConnectionType.getParamNames Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse ConnectionType.getXmlDescription Remote Code Execution Vulnerability 7.5 05.22.2014
SAP Sybase ESP (0Day) SAP Sybase ESP esp_parse Connection.getType Remote Code Execution Vulnerability 7.5 05.22.2014

Last year brought us not only vulnerabilities disclosed by ZDI. Other independent sources also identified the growth of issues in SAP applications.

Another source published information about total number of vulnerabilities in different products from vendors where SAP for the first time in the history took the 10th place by the number of vulnerabilities (178 vulnerabilities by October 2014).

According to the latest statistics, SAP takes the 27th place in the list of all vendors (including open source) in CVE Database with 236 vulnerabilities in total. The number of published SAP vulnerabilities in CVE in 2014 is 81, it is 4 times more than in the previous year and the highest number ever.

Number of SAP vulnerabilities in CVE database

By following the link you can find more details.

But the real number of vulnerabilities closed in SAP Products is even more than listed in any of those sources.

As you may know, CVEs are assigned to vulnerabilities by vendor or by the 3rd party organization. According to information from SAP Support Portal, only in 2014 there were released 388 SAP Security Notes, 7% more than in 2013 (in 2013 there were 364). SAP Security notes are patches that usually close one or more vulnerabilities in SAP Applications discovered by the 3rd party companies and SAP internal security team. One or more! It means that the number of vulnerabilities is even more than the number of SAP Security Notes. And, of course, more than number of vulnerabilities that can be found in CVE, ZDI, and other public resources.

However, it is not only about vulnerabilities in SAP products itself. If so experienced people such SAP developers can still left breaches in their code, imagine what's with programs developed by organizations which use SAP systems and customize them, or, more importantly, outsource developers. And, as you know, the security is not the best part of outsource, as high competition between outsourcing companies leads them to minimize time and resources, which usually affect cybersecurity.

We try to help our customers to meet their security requirements and regulary publish detailed guidelines how to secure their systems from different issues.

The latest guideline "Securing SAP Systems from XSS vulnerabilities" published by us related to the most popular vulnerability that can be found in SAP Security Notes, XSS, or Cross-Site Scripting. You can find there our new ultimate sap security guide to improve SAP NetWeaver ABAP, SAP NetWeaver J2EE and SAP HANA Security.

To find this guide and other guides please follow the link.