Two denial of service vulnerabilities in SAP’s latest monthly patch batch can allow full system compromise, ERP security specialists warn.
SAP released 19 security notes on Tuesday that collectively fixed 26 vulnerabilities. The updates included patches designed to close two critical DoS issues.
Hackers might have been able to run attacks daisy-chaining the two vulnerabilities in order to obtain full remote control of vulnerable systems, according to ERPScan. The potential exploit shows how even low-impact vulnerabilities can be used together to gain full administrative access to the system.
ERPScan is holding off specifics on its find for 90 days in order to allow sysadmins to apply security updates to vulnerable systems.
SAP Advanced Business Application Programming security suite, kernel, Java and HANA all need patching to protect against multiple vulnerabilities. Ten of the SAP Security Notes (advisories) have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5 (very high. The scale is 1 to 10, where 10 is the most severe.) The single most common vulnerability type is missing authorisation check (a factor in eight bulletins) ahead of cross-site scripting and details of service flaws. ®
SAP dropped us a line after the publication of the article: “SAP Product Security Response Team collaborates frequently with security research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities recently disclosed by ERPScan have been fixed, and security patches are available for download on the SAP Service Marketplace.
“We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately. For information on SAP's security notes and patches, please refer to https://support.sap.com/securitynotes.”