Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches OS Command Execution Vulnerabilities

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

The two Critical flaws have a CVSS Base Score of 9.1 each and were found to affect the SAP Report for Terminology ExportI component and the SAP Text Conversion component, respectively. They could be exploited to execute OS commands without authorization.

Aside for the two Hot News Security Notes, SAP also released two High severity and 6 Medium risk Security Notes, for a total of 10 Patch Day Security Notes, Udit Singh, Patch Day Governance, Product Security Response Team, SAP, revealed.

Additionally, SAP released 5 Security Notes after the second Tuesday of October and before the second Tuesday of November, and also released an update to a previously released Security Note, ERPScan notes. Overall, the firm points out, the November updates close 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).

An attacker could leverage the Hot News OS command execution vulnerabilities to execute operating system commands without authorization. The commands will run with the same privileges as the service that executed the command and the attacker could access arbitrary files and directories located in a SAP server file system, such as application source code, configuration, and critical system files.

Other critical flaws patched by SAP this month include a Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5) and an Information Disclosure vulnerability in SAP Software Update Manager component (CVSS Base Score: 7.5). The former can be abused to terminate a process of a vulnerable component, while the latter can be leveraged to reveal additional information about the affected system.

Disclosed by ERPScan researchers, the Denial of Service vulnerability in SAP Message Server HTTP could allow an attacker to prevent legitimate users from accessing the service by crashing it. The Message Server, the researchers say, is used for communication between elements of a Java cluster and should not be accessible from the Internet.

However, 3783 SAP Message Servers HTTP are currently available online, most of them located in the United States, ERPScan says. India is the second most affected country, followed by China, Germany, and Singapore.

Advertisement. Scroll to continue reading.

Other vulnerabilities disclosed by ERPScan researchers and patched in SAP Security Patch Day – November 2016 include an Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3), and an SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC (however, no security note was provided for it, because the issue was inside Hybris cloud).

Overall this month, SAP patched 6 Missing authorization check flaws, 3 Cross-Site Scripting bugs, 2 OS command execution, 2 Information Disclosure, 1 DoS, 1 Implementation Flaw, and 1 Clickjacking vulnerability.

Related: Vulnerability Impacts Web-Exposed SAP Systems

Related: SAP Patches Multiple Implementation Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.