SAP Patches 22 Vulnerabilities With February 2017 Security Updates

SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.

Only High risk and Medium severity vulnerabilities were addressed this month, with the highest CVSS score of the vulnerabilities being 8.5. Multiple patches were released for SAP’s HANA database management system.

According to ERPScan, a company specialized in securing SAP and Oracle products, SAP’s February 2017 Security Patch Day also saw the release of 7 Support Package Notes, for a total of 22 patches across products. 7 of the patches were rated High risk, while the remaining 15 were assessed as Medium severity.

The most common vulnerability type addressed this month is Missing Authorization check (5 patches), followed by Cross-Site Scripting (4 patches), denial of service (3 patches), and XML external entity (2 patches). The remaining 8 flaws include: directory transversal, implementation flaw, privilege escalation, buffer overflow, ABAP code injection, cross-site request forgery, clickjacking, and multiple issues.

The most important issues addressed this month include a Missing Authorization Check vulnerability (CVSS Base Score: 8.5) in SAP Netweaver Data Orchestration (which could allow an attacker to access the service without authorization and use service functionality that has restricted access), along with an Implementation flaw vulnerability (CVSS Base Score: 8.2) in SAP GRC Access Control EAM (which can cause unpredictable behavior of a system, troubles with stability and safety).

Additionally, SAP patched a Memory Corruption vulnerability (CVSS Base Score: 8) in SAP 3D Visual Enterprise Author, Generator and Viewer, which could allow an attacker to  inject a specially crafted code into a working memory which will be executed by the vulnerable application (the executed commands run with the same privileges as the service that executed the command).

Three of the issues were disclosed by ERPScan researchers, including multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3) – namely a denial of service that could allow an attacker to crush a process of a vulnerable component, and an Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia –, and an XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5).

The vulnerabilities in SAP HANA can be exploited together, ERPScan says: “The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the server will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components also could be potentially impacted.”

In related news, Microsoft announced on Tuesday that a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.

Related: SAP Patches Multiple XSS and Missing Authorization Vulnerabilities

Related: SAP Resolves Multiple Information Disclosure Flaws

Related: In Review: SAP’s 3,660 Security and Support Notes