SAP has released the monthly critical patch update for October 2015. This patch update closes 29 vulnerabilities in SAP products, 15 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Missing Authorization Check (as it was in SAP Security Notes September 2015). This month, one critical vulnerability found by ERPScan researcher Mathieu Geli was closed. This vulnerability also affects SAP HANA security and has the highest CVSS score among all issues closed by the update.
About SAP HANA security issues
According to Business Insider, SAP HANA is implemented in more than 6400 companies. SAP says there are more than 815,000 end users of this solution. The security of the critical data that companies entrust to SAP HANA must receive priority attention. Unfortunately, the number of SAP HANA vulnerabilities is constantly growing. In 2015, it has increased by 50% comparing to 2014. One of the critical SAP HANA vulnerabilities (static encryption keys) has recently been identified by ERPScan research team.
Issues that were patched with the help of ERPScan
Below is the details of the SAP vulnerability that was found by ERPScan researchers.
- A Remote Command Execution vulnerability in SAP HANA (CVSS Base Score: 9.3). Update is available in SAP Security Note 2197428. An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2037304: SAP SDCC Download Function Module has an Implementation Flaw (CVSS Base Score: 8.5). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase the system stability. Install this SAP Security Note to prevent risks.
- 2203591: SAP TREX/BWA has an Implementation Flaw (CVSS Base Score: 7.6). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase the system stability. Install this SAP Security Note to prevent risks.
- 2179615:SAP 3D Visual Enterprise Author, Generator and Viewer has a Remote Code Execution vulnerability (CVSS Base Score: 6.8). An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
Comments