Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SAP Resolves Multiple Information Disclosure Flaws

SAP on Tuesday released its set of security patches for December 2016, which include 20 Patch Day Security Notes, along with updates for two previously released notes.

SAP on Tuesday released its set of security patches for December 2016, which include 20 Patch Day Security Notes, along with updates for two previously released notes.

Information Disclosure issues represented the largest number of vulnerabilities addressed this month, followed by Missing Authorization Checks. Cross-Site Scripting flaws were the third most common in this month’s security fixes, but implementation issues, authentication bypasses, directory traversal, clickjacking, and other types of vulnerabilities were also addressed, SAP’s advisory reveals.

The 22 SAP Security Patch Day Notes released this month were accompanied by 9 Support Package Notes for a total of 31 vulnerabilities resolved across numerous SAP products, ERPScan, a company that specializes in securing SAP products, explains.

Of the total December 2016 SAP Security Notes, 4 have a High priority rating, the most important of them being a deserialization vulnerability in SAP BI Platform (CVSS Base Score: 7.3). By exploiting this flaw, an attacker could execute commands remotely, without authorization, and the commands would run with the same privileges as the service that executed the command.

“An attacker can access to arbitrary files and directories located in a SAP server filesystem including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system,” ERPScan said.

Another High priority rating issue resolved this month is an Information Disclosure vulnerability in SAP Business Objects Explorer (CVSS Base Score: 7.1), which could be leveraged to reveal additional information (system data, debugging information, etc.).

SAP also resolved an SQL injection vulnerability in SAP Universal Description, Discovery and Integration component (CVSS Base Score: 6.8), which could allow an attacker read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.

Also patched was a Directory traversal vulnerability in SAP UserAdmin Application (CVSS Base Score: 6.8) that could provide an attacker with access to arbitrary files and directories located in the SAP server filesystem. The issue allows reading files that exist out of the Java Virtual Machine, and 318 services exposed online were found worldwide, ERPScan reveals.

Advertisement. Scroll to continue reading.

Three of the vulnerabilities resolved this month affect 2 SAP for Defense Forces & Public Security components, namely The Defense Forces & Public Security and SAP Mobile Defense & Security. The two are susceptible to a Missing Authorization Check, an issue that could allow an attacker to read, modify or delete restricted data.

“As we deal with the defense industry, the information can be critical in terms of International security. The effect of even such low-impact vulnerability could be devastating when it comes to armed forces,” ERPScan says.

Throughout 2016, SAP released 315 security patches, a number slightly higher (5%) compared to the previous year, but only 9 of them were Hot news. Most of the flaws (215) were Medium priority, with the High priority ones coming in on the second position (74), and Low priority on the third (17).

The average number of monthly SAP Security Notes for this year is approximately 26, which the most common vulnerability types are XSS (119), Missing Authorization Check (80), and different kinds of implementation flaws (51). SAP also resolved a total of 26 clickjacking vulnerabilities this year.

Related: Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Related: SAP Patches Serious Flaws in Database Management Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.