Critical combination of SAP security issues was patched out of schedule

Heidelberg, Germany – March 16, 2016 SAP has recently released off-schedule patches to fix two critical vulnerabilities in its products.

Usually, SAP releases its monthly patch updates every second Tuesday of a month as it happened last week. The patch update for March provided 28 patches to close vulnerabilities in a set of SAP products. 3 of all closed SAP Security Notes have a high priority rating and 2 have a Hot News rating. The highest CVSS score of the vulnerabilities is 9.0.

However, on the 14th of March the vendor released two SAP Security notes to fix vulnerabilities which ERPScan researchers planned to disclose at the Troopers Security conference. This conference took place in Heidelberg, a few miles away from the SAP Headquarters in Walldorf. Every year the conference gathers top security experts to discuss the latest trends in cyber security. In 2014, a special SAP Security track was introduced.

ERPScan expert Dimitry Chastuhin delivered a presentation about critical vulnerabilities in SAP NetWeaver application platform – the core set of services which are used in multiple SAP solutions such as ERP, CRM, PLM, and others across 20 different industries. The talk titled “Exploiting the unexploitable” revealed how sometimes typical low-severity vulnerabilities can be exploited together to gain full administrative access to the system. Dmitry showed how he managed to get full control on an SAP System by using one configuration mistake, two common denial of service vulnerabilities [1], [2] and some race condition magic.

Usually, as companies have to deal with hundreds and even thousands of SAP vulnerabilities, they try to prioritize them by CVSS base score or other similar metrics not taking into account different details such as other vulnerabilities which could increase the risks. With this presentation, we want to demonstrate that quite often even typical vulnerabilities can have a high-risk impact when combined together.

– commented Dimitry Chastuhin, Director of SAP Cyber Security Services at ERPScan.