Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SAP Cyber Threat Intelligence Report for April 2017

DZone's Guide to

SAP Cyber Threat Intelligence Report for April 2017

The results are in on the latest cyber security threats for SAP software. Read on to find out if these vulnerabilities affect you and how to mitigate them.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

The SAP threat landscape is always growing, thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key Takeaways

  • This month, the software vendor releases 27 SAP Security Notes; the majority of them are missing authorization checks.
  • The most severe vulnerability is RCE in TREX/BWA. It was assessed at 9.4.

SAP Security Notes for April 2017

SAP has released the monthly critical patch update for April 2017. This patch update includes 27 SAP Notes (17 SAP Security Patch Day Notes and 10 Support Package Notes).

12 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes has a High priority rating and 1 was assessed as hot news. The highest CVSS score of the vulnerabilities is 9.4.

SAP Security Notes April by priority


The most common vulnerability type is Missing Authorization check.

SAP Security Notes April 2017 by type

Issues That Were Patched With the Help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

  • Remote command execution vulnerability in SAP TREX/BWA (CVSS Base Score: 9.4). The update is available in SAP Security Note 2419592. A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command.
  • Cross-Site Scripting vulnerability in SAP NetWeaver Central Technical Configuration (CVSS Base Score: 6.3). The update is available in SAP Security Note 2406783. An attacker can use a cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • Cross-Site Scripting vulnerability in SAP NetWeaver Java Archiving Framework (CVSS Base Score: 6.1). The update is available in SAP Security Note 2308535. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • An XML external entity vulnerability in SAP Knowledge Management ICE Service (CVSS Base Score: 4.9). The update is available in SAP Security Note 2387249. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to an OS file system.

The Most Critical Issues Closed by SAP Security Notes April 2017 Identified by Other Researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2421287: SAP SAPLPD has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability for terminating a process of the vulnerable component. For now, nobody can use this service, which has negative influences on business processes, system downtime, and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2410082: SAP Web Dynpro Flash Island has an XML external entity vulnerability (CVSS Base Score: 7.5). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by an XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to an OS file system. Install this SAP Security Note to prevent the risks.
  • 2423486: SAP NetWeaver ADBC Demo Programs have a Missing authorization check vulnerability (CVSS Base Score: 6.3). An attacker can use a missing authorization check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers, as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services, should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
security ,cyber threats ,cyber attacks ,sap

Published at DZone with permission of alexander polyakov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}