Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SAP Security Notes August 2015

From: ERPScan inc <erpscan.online () gmail com>
Date: Thu, 13 Aug 2015 11:56:17 +0300
SAP <http://www.sap.com/> has released
<http://scn.sap.com/community/security/blog/2015/08/11/sap-security-patch-day-summary--august-2015>the
monthly critical patch update for August 2015. This patch update closes 22
vulnerabilities in SAP products, 15 have high priority, some of them belong
to the SAP HANA security area. The most popular vulnerability is Cross Site
Scripting (XSS). This month, three critical vulnerabilities found by
ERPScan researchers Dmitry Chastuhin, Vahagn Vardanyan, Roman Bejan were
closed.


*Issues that were patched with the help of ERPScan*


Below are the details of SAP vulnerabilities that were found by ERPScan
<http://www.erpscan.com/> researchers.



   - An XML eXternal Entity vulnerability in SAP Mobile Platform 2.3 (CVSS
   Base Score: 4.9). Update is available in SAP Security Note 2152227
   <https://service.sap.com/sap/support/notes/2152227>. An attacker can use
   XML eXternal Entities to send specially crafted unauthorized XML requests,
   which will be processed by the XML parser. The attacker will get
   unauthorized access to the OS file system.
   - An XML eXternal Entity vulnerability in SAP NetWeaver Portal (CVSS
   Base Score: 4.9). Update is available in SAP Security Note 2168485
   <https://service.sap.com/sap/support/notes/2168485>. An attacker can use
   XML eXternal Entities to send specially crafted unauthorized XML requests,
   which will be processed by the XML parser. The attacker will get
   unauthorized access to the OS file system.
   - An XSS vulnerability in SAP Afaria 7 (CVSS Base Score: 4.3). Update is
   available in SAP Security Note 2152669
   <https://service.sap.com/sap/support/notes/2152669>. An attacker can
   modify displayed application content without authorization and steal
   authentication data (cookie).


*The most critical issues found by other researchers*


Some of our readers and clients asked us to categorize the most critical
SAP vulnerabilities to patch them first. Companies providing SAP Security
Audit, SAP Security Assessment, or SAP Penetration Testing services can
include these vulnerabilities in their checklists. The most critical
vulnerabilities of this update can be patched by the following SAP Security
Notes:



   - 2037304: <https://service.sap.com/sap/support/notes/2037304> SAP ST-P
   has a Remote Command Execution vulnerability (CVSS Base Score: 8.5). An
   attacker can use Remote Command Execution to run commands remotely.
   Executed commands will run with the privileges of the service that executes
   them. An attacker can access arbitrary files and directories located in an
   SAP server filesystem, including application source code, configuration,
   and critical system files. It allows obtaining critical technical and
   business-related information stored in the vulnerable SAP system. It is
   recommended to install this SAP Security Note to prevent risks.
   - 2169391 <https://service.sap.com/sap/support/notes/2169391>: SAP
   NetWeaver AFP Servlet has a Reflected File Download vulnerability (CVSS
   Base Score: 7.5). Reflected File Download (RFD) is a web attack vector
   that enables attackers to gain complete control over a victim's machine. In
   an RFD attack, the user follows a malicious link to a trusted domain
   resulting in a file download from that domain. It is recommended to install
   this SAP Security Note to prevent risks.
   - 2175928 <https://service.sap.com/sap/support/notes/2175928>: SAP HANA
   has a Running Process Remote Termination vulnerability (CVSS Base Score:
   6.8). An attacker can use this vulnerability to terminate the process of
   a vulnerable component. Nobody will be able to use this service, which has
   a negative impact on business processes, system downtime, and business
   reputation. It is recommended to install this SAP Security Note to prevent
   risks.
   - 2165583 <https://service.sap.com/sap/support/notes/2165583>: SAP HANA
   has an incorrect system configuration vulnerability (CVSS Base Score: 6.6).
   SAP HANA internal services could be accessed without authentication if the
   HANA system is insecurely configured and no other security measures are in
   place. This could endanger system availability, data confidentiality and
   integrity. It is recommended to install this SAP Security Note to prevent
   risks.


It is highly recommended to patch all those SAP vulnerabilities to prevent
business risks affecting your SAP systems.


SAP has traditionally thanked the security researchers from ERPScan for
found vulnerabilities on their acknowledgment page
<http://scn.sap.com/docs/DOC-8218>.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: