Security Experts:

SAP Patches Critical Vulnerabilities in Enterprise Products

SAP on Tuesday issued a new round of monthly security updates for its products, patching a total of 10 vulnerabilities, including critical flaws in ASE XPServer, Crystal Reports for Enterprise, and Predictive Analytics.

The vulnerability in ASE XPServer was rated "hot news", featuring a CVSS Base Score of 9, while the other two were rated high risk, each with a CVSS Base Score of 7.3. Six of the remaining vulnerabilities were rated medium risk, while the last one was low risk, SAP revealed.

According to SAP, two of the resolved issues were missing authorization check bugs, two were information disclosure flaws, one Cross-Site Scripting (XSS) vulnerability, and one clickjacking issue. Additionally, the company resolved a missing authentication bug, along with three other security flaws in its products.

In addition to the 10 SAP Security Patch Day Notes included in the new security updates, SAP also released 11 Support Package Notes, one high risk, ERPScan, a company specialized in securing SAP and Oracle business-critical software, explains. The company also says that 10 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

This month, SAP resolved mainly vulnerabilities in in the SAP NetWevwer ABAP platform (43 percent), which is used as a backend platform by most of the common business applications, including ERP, CRM, SRM, and PLM. Java was the second most affected platform, with 14 percent of flaws, ERPScan reveals.

The most important of the newly patched vulnerabilities was a missing authorization check vulnerability in ASE XPServer. An attacker leveraging the vulnerability could access the service without authorization and use its functionality that has restricted access, which could lead to information disclosure, privilege escalation, and other attacks.

The two high risk vulnerabilities patched by SAP this month include a Remote command execution bug in SAP Crystal Reports for Enterprise and another in SAP Predictive Analytics. An attacker exploiting these flaws could execute commands remotely without authorization, while having these commands running with the same privileges as the service that executed them.

The vulnerabilities would allow an attacker to access arbitrary files and directories located in an SAP server filesystem, such as application source code, configuration, and critical system files. Moreover, an attacker could obtain critical technical and business-related information stored in the vulnerable SAP system.

SAP also patched 2 critical vulnerabilities identified by ERPScan’s researchers Alexey Tyurin and Vahagn Vardanyan. According to the ERPScan, these include hard-coded credentials vulnerabilities, which represent one of the most important but underestimated issues in SAP Security.

The researchers discovered a hard-coded credentials vulnerability in SAP Code Page Conversion Tool, which could allow an attacker to gain unauthorized access and perform actions in the system. They also found a hard-coded credentials vulnerability in SAPHybris E-commerce Suite VirtualJDBC Default Credential, which was fixed without security note.

“Hard-coded information of different types (system names, usernames, passwords, and so on) occurs often in SAP systems. It can be in ABAP code written by SAP developers, internal company’s team or third-party developers. According to our statistics, we identified at least one vulnerability of this type in the ABAP code in 90% of companies during our Vulnerability Assessment projects and other professional services. This vulnerability is quite dangerous because it allows an attacker to control the program and to perform a particular function depending on predefined parameters,” Vahagn Vardanyan, Senior Consultant, Code Security Team, Offensive Services department at ERPScan, said.

In addition to SAP, Adobe and Microsoft released software updates on Tuesday to address several security issues. As part of its Patch Tuesday update for May, Microsoft released 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.

Last month, SAP patched 10 high priority vulnerabilities in its products, including five XSS issues and four denial of service (DoS) vulnerabilities. In March, the company addressed a total of 28 vulnerabilities, including 6 XSS bugs, 6 Information disclosure issues, and 5 missing authorization check flaws.

view counter