Security Experts:

SAP Updates Patch Twenty Vulnerabilities

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Of the total of 25 patches released this week, eight are missing authorization checks, and six are cross-site scripting (XSS) bugs. The rest of the vulnerabilities can be exploited for information disclosure, cross-site request forgery (CSRF), remote code execution, SQL injection, and other types of attacks.

SAP only shares details on the patched security bugs with its customers. However, SAP security solutions providers ERPScan and Onapsis have released some information on the vulnerabilities fixed with the September 2015 updates. It’s worth noting that some of the flaws patched this month have been identified by researchers from these companies.

The most serious vulnerability, with a CVSS score of 9.3, is a buffer overflow affecting SAP HANA Extended Application Services (XS). The flaw, patched with the 2197397 update, can be exploited by an attacker to execute malicious code with the privileges of the targeted application.

“This can lead to taking complete control over an application, denial of service, command execution, and other attacks,” ERPScan said. “In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation.”

Another update rated “hot news” is 850306, which, according to Onapsis, summarizes several Oracle patches linked to SAP products.

Other serious issues are an OS command execution vulnerability related to a SAP function module, a missing authorization check in SAP Foreign Trade, a SAP NetWeaver Business Client flaw that can lead to information disclosure or a denial-of-service (DoS) condition, and a SQL injection in SAP Batch Processing.

Missing authorization continues to be a common issue in SAP products. A report published in 2014 by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, more than 700 (20 percent) were missing authorization flaws. Of these 700 issues, most affected SAP NetWeaver ABAP.

Last month, SAP released 26 patches, 15 of which were rated as having high severity.

Related Reading: Majority of SAP Attacks Use One of Three Common Techniques

Related Reading: SAP Encryption Issues Pose Serious Risk to Organizations

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.