CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases Over Dozen High Priority Patches

Enterprise software solutions provider SAP has released its Security Patch Day updates for November 2015 to address nearly two dozen issues.

Enterprise software solutions provider SAP has released its Security Patch Day updates for November 2015 to address nearly two dozen issues.

This month’s updates include 15 Patch Day security notes and eight Support Package notes. The Patch Day notes include nine new fixes, four updates to previous notes, and two out-of-band patches. Five of these have been rated “hot news” (very high), and eight have been classified as having “high” priority.

The list of patched issues includes code injection, information disclosure, cross-site request forgery (CSRF), directory traversal, and cross-site scripting (XSS) vulnerabilities.

According to SAP security firm ERPScan, one of the most serious vulnerabilities patched this month, based on its CVSS score, is a CSRF bug in the Web UI Framework (WebUIF), a component of SAP’s Customer Relationship Management (CRM) application. An attacker can exploit this vulnerability to perform operations on an authenticated user’s behalf if they can trick the victim into clicking on a specially crafted link.

Two other high priority notes are for an information disclosure flaw in SAP Business Intelligence and an OS command execution vulnerability in a component of SAP ABAP. Both these issues had been addressed previously, but SAP has now released updated patches.

The patches also fix a couple of vulnerabilities reported by ERPScan researchers. One of the issues found by the security firm is related to the use of Base64 and DES to encrypt passwords in SAP Manufacturing Integration and Intelligence (xMII).

The second security hole identified by ERPScan is a high severity denial-of-service (DoS) flaw in SAP Plant Connection (SAP PCo), a solution designed for data exchanges between a SAP system and industry-specific data sources, such as SPC, plant historian, and process control systems.

ERPScan believes these vulnerabilities can pose a serious risk because the affected solutions serve as a bridge between the industrial and enterprise resource planning (ERP) environments.

Advertisement. Scroll to continue reading.

“SAP’s Business applications collect data about critical processes via SAP xMII. SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes,” ERPScan explained in a blog post. “These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems.”

Experts will show at the Black Hat Europe security conference how such vulnerabilities can be exploited to target companies in the oil and gas sector.

Earlier this week, SAP security firm Onapsis published a total of 21 advisories detailing vulnerabilities patched by SAP over the past few months. The flaws described by the company affect SAP HANA-based applications such as S/4HANA and SAP Cloud Solutions.

According to Onapsis, these vulnerabilities could affect more than 10,000 SAP customers, including many Forbes 2000 companies across various industry verticals.

Related Reading: Serious Vulnerabilities Patched in SAP Products

Related Reading: Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.