In Review: SAP’s 3,660 Security and Support Notes

SAP’s Monthly Patches Dominated by Hot News and High Priority Flaws

To date, SAP has issued more than 3,660 Security Notes and Support Package Implementation Notes to address thousands of vulnerabilities in its business critical applications, a new report from ERPScan reveals.

Of the total of 3,663 Security Notes that SAP has issued through June 2016, 212 were rated Hot News and 2,383 were rated High Priority, meaning that only around 25% of the flaws were Medium (798) and Low (145) priority.

Cross-Site Scripting (20.47%), Missing authorization (20.45%) and Directory traversal (11.96%) were the most common types of flaws, accounting for 52% of all vulnerabilities, ERPScan’s report shows. Configuration issues (10.52%) and SQL-injection (7.64%) round up top five issue types, followed by Information disclosure (7.33%) and Cross-Site Request Forgery (6.57%).

The approximate number of monthly SAP Security Notes has dropped to only 22 in 2016, but it was at 61 in 2011. It dropped to 53 notes in 2012 and registered a significant decrease in 2013, when it was of only 30 per month. However, the number of vulnerabilities resolved in SAP products is higher than that, because SAP fixes multiple flaws with a single patch now, ERPScan says.

Three years ago, the company used to issue a patch for each discovered vulnerability, but the newly adopted approach makes it easier to apply the security updates that arrive on the second Tuesday of each month. However, SAP doesn’t offer information on the number of vulnerabilities each patch resolves, and analysis and correlation with CVE is more difficult now, the report says.

What’s more, around 85% of vulnerabilities are usually closed internally, meaning that information about them and the patches themselves are released to customers and partners only. Furthermore, of the remaining 15% of vulnerabilities, which are discovered by external researchers, some are not assigned to CVE.

Over the past few years, SAP also extended the list of vulnerable platforms and it now includes modern cloud and mobile technologies such as HANA. Cloud and mobile technologies rendered SAP systems more exposed to the Internet, meaning that every vulnerability discovered in these services could affect thousands of multi-national companies (after all, 90% of the Fortune 2000 companies use SAP).

“For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA,” ERPScan notes.

The report also says that almost every SAP module has vulnerabilities, with CRM being in the lead, followed by EP and SRM. However, it appears that researchers and hackers were more attracted by the vulnerabilities affecting SAP HANA and SAP Mobile apps when compared to the traditional modules.

There was also a growth in the number of vulnerabilities in industry-specific solutions, with over 160 vulnerabilities detected in SAP’s products designed for particular industries. The SAP industry-specific solutions for Banking, Retail, Advertising Management, Automotive, and Utilities are the most vulnerable products.

There are more than 36,000 SAP systems worldwide, yet most of them (69%) should not be available directly via the Internet. However, there are numerous unnecessarily exposed services that render systems vulnerable, and almost half of them “are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China),” the report claims.

Related: SAP Patches Critical Clickjacking Vulnerabilities

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: Five-year-old SAP Vulnerability Haunts Global Businesses