SAP has released the monthly critical patch update for September 2015. This patch update closes 20 vulnerabilities and 5 updates in SAP products, 16 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is the Missing authorization check. This month, two critical vulnerabilities found by ERPScan researchers Vahagn Vardanyan, Roman Bejan were closed.
About Missing authorization check
Missing authorization check enables access to a service without any authorization and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation and other attacks.
According to a research titled Analysis of 3000 vulnerabilities in SAP, missing authorization is the second most common issue in all SAP products and constitutes about 20%. Slightly more than 700 of such vulnerabilities have been closed in different SAP products (662 in SAP NetWeaver ABAP) since 2001.
Issues that were patched with the help of ERPScan
Below are the details of SAP vulnerabilities that were found by ERPScan researchers.
- An SQL-injection vulnerability in SAP Batch Processing (CVSS Base Score: 4.6). Update is available in SAP Security Note 2193389. An attacker can use SQL-injection vulnerability with a help of specially crafted SQL-queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also in some cases an attacker can access system data or execute OS commands.
- A Cross-site scripting vulnerability in SAP Java Monitoring (CVSS Base Score: 4.3). Update is available in SAP Security Note 2176785. An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Reflected XSS feature is necessity of tricking a user from an attackers' side - he must lead user to a specially crafted link. As for stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions. The malicious script can access to all cookies, session tokens and other critical information stored by browser and used for interaction with a site. An attacker can gain access to user's session and learn business-critical information, in some cases it is possible to achieve control over this information. Also XSS can be used for unauthorized modification of displayed site content.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2197397: SAP HANA Extended Application Services (XS) has a Buffer overflow vulnerability (CVSS Base Score: 9.3). An attacker can use Buffer overflow vulnerability for injecting specially crafted code into a working memory which will be executed by vulnerable application. Executed commands will run with same privileges of a service that executed a command. This can lead to taking complete control of an application, denial of service, command execution and other attacks. In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP-system or use it for privilege escalation. Speaking about denial of service, terminating a process of vulnerable component is possible. For this time nobody can use this service, this fact negatively impacts business processes, system downtime and business reputation as result. It is recommended to install this SAP Security Note to prevent risks.
- 2197100: SAP function module SCTC_REFRESH_EXPORT_USR_CLNT has an OS command execution vulnerability (CVSS Base Score: 7.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of a service that executed a command. An attacker can access arbitrary files and directories located in an SAP-server filesystem including application source code, configuration and critical system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. It is recommended to install this SAP Security Note to prevent risks.
- 2200806:SAP Foreign Trade has a Missing authorization check vulnerability (CVSS Base Score: 6.0). An attacker can use Missing authorization check vulnerability for access a service without any authorization procedures and use service functionality that has restricted access. This can also lead to information disclosure, privilege escalation and other attacks. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.