Recently, HP published their yearly Cyber Risk Report 2015. Having many typical things spotlighted in this report such as growing number of ATM and IOT Security events, we have found some parts that are relevant to business application security, which we are honored to share with our readers, customers and partners.

According to their report, HP Zero Day Initiative were busy coordinating the disclosure and remediation of over 400 high-severity vulnerabilities in 2014 while 24 of them were related to SAP Products. So vendors at the top for most disclosures are: 1. Microsoft; 2.Hewlett-Packard; 3. Advantech; 4. SAP; 5. Apple.

ZDI were always in charge of publishing vulnerabilities in SAP, but this is the first year when the number of SAP vulnerabilities became so big.

According to ZDI Report:

In 2013 there were a number of SCADA vulnerabilities, but 2014 marks the first year where a SCADA vendor is among the top vendors with vulnerabilities disclosed against its products. Advantech focuses on automation controllers, industrial control products, and single board computers. SAP is on the list due to an audit ZDI analysts conducted against one of its products, which yielded a large number of findings.

 

But the main idea is that we are not only speaking about the number of vulnerabilities, which is quite large, but also about the criticality of vulnerabilities. The average criticality of identified SAP vulnerabilities is 7.7 and the maximum CVSS is 9.5.

Affected SAP Products include:

 

  • SAP SQL Anywhere (4 vulnerabilities with average CVSS 9)
  • SAP Sybase ESP (18 vulnerabilities with average CVSS 7,5)
  • SAP Crystal Reports (2 vulnerabilities with average CVSS 6.8)

   

Detailed information about identified vulnerabilities you can find in the table below:

ProductVulnerabilityCVSSDate
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider Malformed Integer Stack Buffer Overflow Code Execution Vulnerability9.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider REPLICATE Function Heap Overflow Code Execution Vulnerability8.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider SPACE Function Heap Overflow Code Execution Vulnerability8.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider Column Alias Stack Buffer Overflow Code Execution Vulnerability9.512.09.2014
SAP Crystal ReportsSAP Crystal Reports Connection String Processing Double Free Remote Code Execution Vulnerability6.809.03.2014
SAP Crystal ReportsSAP Crystal Reports Datasource Stack Buffer Overflow Remote Code Execution Vulnerability6.809.03.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getConnection Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.isInput Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getSampleRow Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getFieldTypes Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getFieldNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.setParams Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.destroy Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.dispose Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getTableNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.setScanDepth Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP0Day) SAP Sybase ESP esp_parse Connection.canDiscover Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getError Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.reset Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getErrors Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getName Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getParamNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getXmlDescription Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getType Remote Code Execution Vulnerability7.505.22.2014

Last year brought us not only so much vulnerabilities disclosed by ZDI. Other independent resources also identified the growth of vulnerabilities in SAP Applications.

Another resource published information about total number of vulnerabilities in different vendors products where SAP first time in the history hit’s 10th place by the number of vulnerabilities in commercial products with total number of 178 vulnerabilities (by October 2014).

By the latest statistics about SAP vulnerabilities it takes the 27th place in the list of all vendors (including open source) in CVE Database with 236 vulnerabilities in total. The number of published SAP vulnerabilities in CVE in 2014 is 81, which is 4 times more than in previous year and the highest number during all years if you look at the figures.

But in reality the number of vulnerabilities closed in SAP Products is even more than it is listed in any of those resources.

As you may know, CVE’s assigned to vulnerabilities by vendor or by the 3rd party organization, while this process may take time not every organization constantly provide. According to information from SAP Support Portal, only in 2014 there were released 388 so-called SAP Security Notes, 7% more than in 2013 (in 2013 there were 364). SAP Security notes are actually small patches that usually close one or more vulnerabilities in SAP Applications found by the 3rd party companies and SAP Internal security team. So you are right, one or more! It means that actual number of vulnerabilities is even more than the number of SAP Security Notes. And, of course, more than number of vulnerabilities that can be found in CVE, ZDI, and other public resources.

However it is not only about vulnerabilities in SAP products itself. If so experienced people such SAP developers can still left mistakes in their code, imagine what is happening with programs developed by organizations which use SAP systems and customize them, or more importantly outsource development to other companies. And, as you know, security was not a best part of outsource, as high competition between outsourcing companies driving them to minimize time and resources, which usually leaves an imprint on security.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)