The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.
- The February’s set of Security Notes consist of 22 patches, most of them fix missing authorization check vulnerabilities.
- The highest CVSS base score of the fixed bugs is 8.5.
- This month, multiple vulnerabilities affecting SAP HANA were closed. They can be exploited together to crash applications on SAP HANA XS remotely without authentication.
SAP Security Notes – February 2017
4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 7 of all the Notes are updates to previously released Security Notes.
7 of the released SAP Security Notes has a High priority rating. The highest CVSS score of the vulnerabilities is 8.5.
The most common vulnerability type is Missing Authorization check.
Issues that were patched with the help of ERPScan
This month, 3 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Mikhail Medvedev were closed.
Below are the details of these vulnerabilities.
- Multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3). Update is available in SAP Security Note 2407694. An attacker can use a Denial of service vulnerability to crash a process of the vulnerable component. For this time, nobody would be able to use this service, which negatively influences business processes, system downtime, and, as a result, business reputation.
- An XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5). Update is available in SAP Security Note 2386873. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.
SAP HANA Multiple Vulnerabilities in detail
SAP Security Note 2407694 closes 2 vulnerabilities affecting SAP’s flagship product, HANA. Namely, there are DoS vulnerability and Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia.
These vulnerabilities can be exploited together. One of possible attack scenarios is the following. The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the application in process will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components could also be potentially impacted.
The most critical issues closed by SAP Security Notes February 2017 identified by other researchers
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2408892: SAP Netweaver Data Orchestration has a Missing Authorization Check vulnerability (CVSS Base Score: 8.5). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2413716: SAP GRC Access Control EAM has an Implementation flaw vulnerability (CVSS Base Score: 8.2). Depending on a case, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase system stability. Install this SAP Security Note to prevent the risks.
- 2391018: SAP 3D Visual Enterprise Author, Generator and Viewer has a Memory Corruption vulnerability (CVSS Base Score: 8). An attacker can use Buffer overflow vulnerability to inject a specially crafted code into a working memory which will be executed by the vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and other attacks. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.