SAP Cyber Threat Intelligence Report – October 2016

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

1. SAP's critical patch update for October fixes 48 vulnerabilities, which is the record-breaking number since 2012.
2. The majority of them implements Switchable authorization checks (i.e. fixes implementation flaws).
3. One of the vulnerabilities (Authentication bypass in SAP P4) potentially threatened SAP customers since 2013.

SAP Security Notes – October 2016

SAP has released the monthly critical patch update for October 2016. This patch update closes 48 vulnerabilities in SAP products (47 SAP Security Patch Day Notes and 1 Support Package Notes), which is almost twice more than the average number for this year. According to the latest SAP Cyber Security in Figures report, In 2011, the approximate number of monthly SAP Security Notes was equal to 61. In 2012, it decreased to 53 notes, and in 2013 it amounted to 30 notes a month. The average number remained almost the same in 2014 (32) and fell slightly in 2015 (25) and in 2016 (22).

5 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. Just one SAP Security Note is an update to a previously released Security Note.

3 of the released SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5.

The most common vulnerability type is Implementation Flaw.

About Switchable authorization checks

The majority of the issues closed this month are implementation flaws, namely the Security Notes titled “Switchable authorization checks ”. In the full-text versions of the Notes, SAP describes this functionality in detail.

By these patches, new switchable authorization checks were implemented. By default, they are inactive to ensure compatibility with processes. It is important to enable the authority check using Switchable Authorization Checks Framework ( the transaction SACF).

Issues that were patched with the help of ERPScan

This month, 2 critical vulnerabilities identified by ERPScan’s researcher Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan researcher.

• A Denial of Service vulnerability in SAP ASE (CVSS Base Score: 7.5). Update is available in SAP Security Note 2330422. An attacker can exploit a denial of service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a company.
• A Missing Authentication check vulnerability in SAP NetWeaver AS JAVA P4 Servercore component (CVSS Base Score: 7.3). Update is available in SAP Security Note 2331908. An attacker can exploit a missing authorization check vulnerability to access a service without passing authorization procedures and use functionality of this service, access to which shall be limited. This may result in an information disclosure, privilege escalation and other types attacks.

About Missing Authentication check vulnerability in P4 Servercore component

Missing Authentication check vulnerability affects SAP NetWeaver AS JAVA P4. This service enables a remote control of SAP’s JAVA platform, for example, all SAP Portal systems.

P4 is usually exposed to the Internet, which makes the vulnerability exploiting easier. Scanning conducted by our researchers revealed that there are at least 256 vulnerable services accessible online.

The issue was first reported and patched in 2012. However, during one of penetration tests, ERPScan team found out that the issue still affected almost all new versions of the service. For example, the service pack 0.9 for the version 7.2 which is vulnerable, was released in 2013. It means that potentially the mission-critical service stayed unpatched for at least 3 years, i.e. 256 systems (possibly this number was higher in last 3 years) could be compromised.

The most critical issues closed by SAP Security Notes October 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

• 2348055: SAP ST-PI component has an SQL injection vulnerability (CVSS Base Score: 6.3). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
• 2344441: SAP MESSAGING SYSTEM SERVICE component has a Cross-Site Scripting vulnerability (CVSS Base Score: 6.3). An attacker can exploit a cross-site scripting vulnerability to inject a malicious script into a page. To exploit a reflected XSS vulnerability it is necessary to trick a user from an attacker’s side, i.e. an attacker must make a user follow a specially formed link. As for a stored XSS, a malicious script is injected into a page body and permanently stored there. Thus, a user is attacked without performing any actions. A malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a site. An attacker can gain access to user's session and learn business-critical information. In some cases, it is even possible to get control over this information. In addition, XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks.
• 2335427: SAP BusinessObjects has a Cross-Site Request Forgery vulnerability (CVSS Base Score: 6.1). An attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user's session with a help of making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user's rights. An attacker may use a cross-site scripting vulnerability to do this, or he can present a specially crafted link to an attacked user. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.