SAP Cyber Threat Intelligence Report – June 2017

Thursday, June 15, 2017

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • In June, the vendor released 29 patches (slightly more than the average number of 25 fixes (as for 2017));
  • Among them, there is a critical DoS vulnerability affecting SAP Host Agent. The issue is remotely exploitable and more than 3400 vulnerable services are exposed to the Internet.
  • The most common vulnerability type is XSS.

SAP Security Notes – June 2017

SAP has released the monthly critical patch update for June 2017. This patch update includes 29 SAP Security Notes Notes (21 SAP Security Patch Day Notes and 8 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.5 .

SAP Security Notes June by priority

The most common vulnerability type is XSS (PDF).

SAP Security Notes June 2017 by type Issues that were patched with the help of ERPScan

This month, 3 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Nursultan Abubakirov, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • A Denial of service vulnerability in SAP NetWeaver Instance Agent Service (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389181. An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • A Cross-Site Scripting vulnerability in SAP NetWeaver Composite Application Framework and Business Warehouse Test Integration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2405943. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • An Open redirect vulnerability in SAP Data Services Management Console (CVSS Base Score: 4.3). Update is available in SAP Security Note 2472026. An attacker can use an Open redirect vulnerability for redirecting a user to phishing or malicious sites while the user does not realize it. The security loophole occurs because an application takes a parameter and redirects a user to the parameter value without any validation.

About DoS Vulnerability in SAP Host Agent Service. 3400+ services at risk

SAP Host Agent allows accomplishing several life-cycle management tasks, such as operating system monitoring, database monitoring, system instance control, and provisioning.

This month, the vendor closed a Denial of Service vulnerability affecting this component (reported by ERPScan back in November, 2016). A DoS attack has a direct impact on availability, as it causes response delays and service interruptions. The vulnerability can be exploited over the network without any authentication procedure.

A custom non-intrusive scanning reveal that there are 3400+ such services exposed to the Internet with the largest share of them located in the USA, India, and China. As the vulnerability is remotely exploitable, these services are at risk of anonymous attack.

image image

ERPScan recommends the companies to install the appropriate patch as soon as possible.

Critical issues closed by SAP Security Notes June 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2313631: BILaunchPad and Central Management Console has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2396544: SAP BusinessObjects Web Intelligence HTML interface has a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2444321: SAP CommonCryptoLib has a Missing certificate verification vulnerability (CVSS Base Score: 7). Without the certificate check the function does not recognize if the data to be verified was signed by an unauthenticated/unauthorized person or system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com.

Possibly Related Articles:
70426
Enterprise Security Security Awareness
XSS SAP SAP Security Patch Day SAP Security Notes
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.