SAP Cyber Threat Intelligence Report – November 2016

Monday, November 14, 2016

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • SAP’s critical patch update for November contains 16 SAP Security Notes.
  • The majority of them are missing authorization checks.
  • One of the Notes addresses DoS in SAP Message Server. Research revealed almost 4000 such systems available online.

SAP Security Notes – November 2016

SAP has released the monthly critical patch update for November 2016. This patch update closes 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).

5 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. One note is an update to a previously released Security Note.

2 of the released SAP Security Notes have a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.1.

SAP Security Notes November by priority

The most common vulnerability type is Missing authorization check check.

SAP Security Notes November 2016 by type

Issues that were patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Alexey Tyurin and Mathieu Geli were closed.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan researchers.

  • A Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2358972. An attacker can exploit a denial of service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.
  • An Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3). Update is available in SAP Security Note 2342940. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc), which will help to learn about a system and to plan other attacks.
  • An SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
    SAP stated that "Due to the fact that this issue is inside Hybris cloud we don’t provide a security note."

About Denial of Service vulnerability in SAP Message Server HTTP

SAP has a set of services which should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet. SAP Message Server that is used for communication between elements of a Java cluster is one of such services. It is often used as a load balancer for client GUI connections.

SAP Message Server HTTP is an HTTP part of Message Server. The DoS vulnerability (related SAP Note 2358972) allows an attacker to prevent legitimate users from accessing the service by crashing it.

We identified that there are almost 4000 (namely 3783) SAP Message Servers HTTP available online.

image image

The most critical issues closed by SAP Security Notes November 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2357141: SAP Report for Terminology ExportI component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2371726: SAP Text Conversion component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2366512: SAP Software Update Manager component has an Information Disclosure vulnerability (CVSS Base Score: 7.5). An attacker can use an Information disclosure vulnerability to reveal additional information, which will help them to learn about a system and to plan further attacks. During upgrade of SAP NetWeaver based products the MSSQL database shadowuser credentials are stored in logfiles in plain text. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities as well as attack signatures are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Possibly Related Articles:
13437
Enterprise Security
Vulnerabilities SAP Security Patches SAP Security Patch Day
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.