SAP Releases Over Dozen High Priority Patches

Enterprise software solutions provider SAP has released its Security Patch Day updates for November 2015 to address nearly two dozen issues.

This month’s updates include 15 Patch Day security notes and eight Support Package notes. The Patch Day notes include nine new fixes, four updates to previous notes, and two out-of-band patches. Five of these have been rated “hot news” (very high), and eight have been classified as having “high” priority.

The list of patched issues includes code injection, information disclosure, cross-site request forgery (CSRF), directory traversal, and cross-site scripting (XSS) vulnerabilities.

According to SAP security firm ERPScan, one of the most serious vulnerabilities patched this month, based on its CVSS score, is a CSRF bug in the Web UI Framework (WebUIF), a component of SAP’s Customer Relationship Management (CRM) application. An attacker can exploit this vulnerability to perform operations on an authenticated user’s behalf if they can trick the victim into clicking on a specially crafted link.

Two other high priority notes are for an information disclosure flaw in SAP Business Intelligence and an OS command execution vulnerability in a component of SAP ABAP. Both these issues had been addressed previously, but SAP has now released updated patches.

The patches also fix a couple of vulnerabilities reported by ERPScan researchers. One of the issues found by the security firm is related to the use of Base64 and DES to encrypt passwords in SAP Manufacturing Integration and Intelligence (xMII).

The second security hole identified by ERPScan is a high severity denial-of-service (DoS) flaw in SAP Plant Connection (SAP PCo), a solution designed for data exchanges between a SAP system and industry-specific data sources, such as SPC, plant historian, and process control systems.

ERPScan believes these vulnerabilities can pose a serious risk because the affected solutions serve as a bridge between the industrial and enterprise resource planning (ERP) environments.

“SAP’s Business applications collect data about critical processes via SAP xMII. SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes,” ERPScan explained in a blog post. “These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems.”

Experts will show at the Black Hat Europe security conference how such vulnerabilities can be exploited to target companies in the oil and gas sector.

Earlier this week, SAP security firm Onapsis published a total of 21 advisories detailing vulnerabilities patched by SAP over the past few months. The flaws described by the company affect SAP HANA-based applications such as S/4HANA and SAP Cloud Solutions.

According to Onapsis, these vulnerabilities could affect more than 10,000 SAP customers, including many Forbes 2000 companies across various industry verticals.

Related Reading: Serious Vulnerabilities Patched in SAP Products

Related Reading: Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks