SAP has released the monthly critical patch update for July 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. The most popular vulnerability is Missing Authorization Check. This month, one critical vulnerability found by ERPScan researcher Alexander Polyakov was closed.
Issues that were patched with the help of ERPScan
Below are the details of SAP vulnerabilities that were found by ERPScan researchers.
- A Missing Authorization Check vulnerability in SAP XML Data Archiving Service (CVSS Base Score: 3.5). Update is available in SAP Security Note 1945215. An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2180049: SAP ASE XPServer has a Missing Authorization Check vulnerability (CVSS Base Score: 9.3). An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. It is recommended to install this SAP Security Note to prevent risks.
- 1952092: IDES ECC has a Remote Command Execution vulnerability (CVSS Base Score: 6.0). An attacker can use Remote Command Execution to run commands remotely without authorization. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.
- 1971516: SAP SERVICE DATA DOWNLOAD has a Remote command execution vulnerability (CVSS Base Score: 6.0). An attacker can use Remote Command Execution to run commands remotely without authorization. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.
- 2183624: SAP HANA database has an Information Disclosure vulnerability. An attacker can use Information Disclosure for revealing additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks. It is recommended to install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
Comments