SAP Cyber Threat Intelligence Report – April 2017

Thursday, April 13, 2017

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • This month, the software vendor releases 27 SAP Security Notes; the majority of them are missing authorization checks.
  • The most severe vulnerability is RCE in TREX/BWA. It was assessed at 9.4.

SAP Security Notes – April 2017

SAP has released the monthly critical patch update for April 2017. This patch update includes 27 SAP Notes (17 SAP Security Patch Day Notes and 10 Support Package Notes).

12 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes has a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.4.

SAP Security Notes April by priority


The most common vulnerability type is Missing Authorization check.

SAP Security Notes April 2017 by type Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • A Remote command execution vulnerability in SAP TREX / BWA (CVSS Base Score: 9.4). Update is available in SAP Security Note 2419592. A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Central Technical Configuration (CVSS Base Score: 6.3). Update is available in SAP Security Note 2406783. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Java Archiving Framework (CVSS Base Score: 6.1). Update is available in SAP Security Note 2308535. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • An XML external entity vulnerability in SAP Knowledge Management ICE Service (CVSS Base Score: 4.9). Update is available in SAP Security Note 2387249. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to OS file system.

The most critical issues closed by SAP Security Notes April 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2421287: SAP SAPLPD has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability for terminating a process of vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2410082: SAP Web Dynpro Flash Island has an XML external entity vulnerability (CVSS Base Score: 7.5). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorised access to OS file system. Install this SAP Security Note to prevent the risks.
  • 2423486: SAP NetWeaver ADBC Demo Programs have a Missing authorization check vulnerability (CVSS Base Score: 6.3). An attacker can use Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Possibly Related Articles:
29602
Enterprise Security
SAP Security Patch Day SAP Security Notes command execution SAP TREX
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.