SAP Security Notes June 2016 – Review

SAP has released the monthly critical patch update for June 2016. This patch update closes 21 vulnerabilities in SAP products including 15  SAP Security Patch Day Notes and 6 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 3 of all notes are updates to previous Security Notes.

3 of all closed SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 9.1.

Most of the discovered vulnerabilities belong to the SAP NetWevwer  ABAP platform, the oldest and the most widespread one. It is a backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM.

The most common vulnerability types are Cross-site scripting and Missing authorization check.

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Alexander Polyakov, and Vahagn Vardanyan were closed.

How long does it take a vendor to patch an issue?

Third-party researchers discover numerous security issues in various products on a daily basis. A responsible vendor usually tries to fix an issue in a timely fashion. As a rule, it takes a vendor approximately 1-3 months to release a patch. However, some of vulnerabilities are not easy to close (especially architectural ones). As long as SAP is concerned, the required time to patch a security issue is 3 months, according to rough estimations.

This month, SAP fixed a vulnerability detected by ERPScan researcher Alexander Polyakov 3 years ago. The identified cybersecurity issue is an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component. The product can transform and consolidate business information from virtually any source system.

The issue was reported about on the 20th of April, 2013. It means that it took SAP more than 3 years to fix the issue. Moreover, not all companies implement a patch after the release date. As the Invoker Servlet case [external links not allowed] shows, sometimes SAP systems stay unpatched even for 5 years after the Security Note release. Taking into account that vulnerability impact is rather severe (CVSS v3 Base Score: 5.3/10), as it allows an attacker to discover information useful for further attacks, the unpatched vulnerability put companies at serious risks.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities  that were found by ERPScan [external links not allowed] researchers.

• A Cross-site scripting vulnerability in SAP ecattping (CVSS Base Score: 6.1). Update is available in SAP Security Note 2256178. An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page.
• An Information disclosure vulnerability in SAP BI Reporting and Planning (CVSS Base Score: 5.3). Update is available in SAP Security Note 2197262. An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help an attacker to learn about a system and to plan further attacks.
• A Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (CVSS Base Score: 4.9). Update is available in SAP Security Note 2308778. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, this fact negatively affects business processes, system downtime, and, as a result, business reputation.
• A Directory traversal vulnerability in SAP Data Services (CVSS Base Score: 2.7). Update is available in SAP Security Note 2300346. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

Other critical issues closed by SAP Security Notes June 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing [external links not allowed] services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

• 2306709: SAP Documentation and Translation Tools has a Code injection vulnerability (CVSS Base Score: 9.1 ). Depending on the code, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
• 2222731: SAP DesignStudio SFIN has a Cross-site scripting vulnerability (CVSS Base Score: 8.8 ). An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page. Install this SAP Security Note to prevent risks.
• 2308217: SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.

It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on its acknowledgment page.