SAP Cyber Threat Intelligence Report – November 2018
November experienced a lot of new vulnerabilities and cyber threats.
Join the DZone community and get the full member experience.Join For Free
The SAP threat landscape is always expanding and putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide insight into the latest security vulnerabilities and threats.
- The recent patch update consists of 16 patches with the majority of them rated medium.
- The most common vulnerability types are Implementation Flaw and Denial of Service.
- This month, SAP fixes a security vulnerability in SAP HANA Streaming Analytics with Hot News priority rating (related CVEs – CVE-2018-1270, CVE-2018-1275)
SAP Security Notes – November 2018
SAP has released the monthly critical patch update for November 2018. This patch update closes 16 SAP Security Notes (12 SAP Patch Day Notes and 4 Support Package Notes ). Four of the patches are updates to previously released Security Notes.
The number of released patches is progressively decreasing.
Below is a chart illustrating the SAP security notes distribution by priority.
This month, two types of security issues were prevalent; Implementation Flaw and Denial of Service are the largest groups in terms of the number of vulnerabilities.
28 percent of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as the pie chart shows:
SAP users are recommended to implement security patches as they are released because it helps protect the SAP landscape.
Critical Issues Closed by SAP Security Notes in November
The following SAP Security Notes can patch the most severe vulnerabilities of this update:
- 2681280: SAP HANA Streaming Analytics has a security vulnerability in the Spring Framework (CVSS Base Score: 9.9 CVE-2018-1270 CVE-2018-1275). An attacker can use a remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with the same privileges of a service that executed a command. An attacker can access arbitrary files and directories located in an SAP server file system, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent these risks.
- 2691126: SAP Fiori Client has multiple vulnerabilities (DoS, HTML Injection, Missing Authorization Check) (CVSS Base Score: 8.6 CVE- 2018-2485 CVE-2018-2488 CVE-2018-2491 CVE-2018-2489 CVE-2018-2490) An attacker can use multiple vulnerabilities and exploit one of the listed or mix them together. An attacker can use a Denial of Service vulnerability to terminate the process of the vulnerable component, and nobody would use this service. Missing authorization check vulnerability can be used for accessing a service without authorization procedures, and for employing service functionality with restricted access, this can lead to information disclosure or attacks, like privilege escalation. Cross-site scripting vulnerabilities allow for injecting a malicious script into a page. The reflected XSS feature refers to tricking a user who would follow a malicious link. In case of stored XSS, malicious script is injected and permanently stored in a page body, so the user would be attacked without performing any actions. The malicious script can access critical information that are stored by browser (including all cookies, session tokens, etc.) and used for interacting with a site. An attacker can gain access to user’s session and see all business-critical information or even get control over it. XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks.
- 2657670: Web Intelligence Richclient 3 Tiers Mode has a Denial of Service (DOS) vulnerability (CVSS Base Score: 7.7 CVE-2018-2473 ). An attacker can use a Denial of Service vulnerability for terminating a process of a vulnerable component, and nobody would use this service. This fact negatively influences business processes, system downtime, and business reputation as a result. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
Published at DZone with permission of Alexander Polyakov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.