SAP Cyber Threat Intelligence report – July 2017

Friday, July 14, 2017

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Key takeaways

  • July’s set of SAP Security Notes consists of 23 patches with the majority of them rated medium.
  • The most severe vulnerabilities of this month affect SAP POS, a point of sale solution. The vulnerabilities allow attackers to Read/write/delete sensitive information and even monitor all content displayed on a receipt window of a POS remotely without authentication.

SAP Security Notes – July 2017

SAP has released the monthly critical patch update for July 2017. This patch update includes 23 SAP Security Notes (12 SAP Security Patch Day Notes and 11 Support Package Notes).

11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.

4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.

The most common vulnerability types are Missing Authentication check, Switchable authorization check, and Implementation flaw.

Issues that were patched with the help of ERPScan

This month, several critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Mathieu Geli, and Vladimir Egorov were closed by 3 SAP Security Notes.

Below are the details of the SAP vulnerability, which was identified by ERPScan team.

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

About Multiple Missing Authorization Check in SAP Point of Sale

SAP POS, a client-server point-of-sale (POS) solution from the German software maker, is a part of its Retail solution portfolio, which products are in use at 80% of the retailers in the Forbes Global 2000.

From a technical point of view, SAP POS consists of Client applications, Store Server side (serve connective, operative and administrative needs) and applications running in the head office to allow central configuration.

image

This month, SAP released Security Note 2476601 to close multiple severe vulnerabilities in SAP POS Xpress Server. The component lacks authentication checks for critical functionality. The missing authorization checks would allow an attacker to:

  • Read/write/delete files stored on SAP POS server;
  • Shutdown the Xpress Server application;
  • Monitor all content displayed on a receipt window of a POS.

The described malicious actions can be performed over the network without authentication.

The vulnerabilities were rated at 8.1 by CVSS base score v.3, with all 3 impact metrics (Confidentiality, Integrity, and Availability) assessed High

According to the rules of responsible disclosure, ERPScan doesn’t disclose technical details to allow SAP customers a period of time to patch the issues. Researchers who identified the vulnerabilities will deliver a talk at Hack in the Box Singapore (August 24) where they will demonstrate an attack vector against SAP POS.

Other critical issues closed by SAP Security Notes July

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5). Depending on code type, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks.
  • 2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
  • 2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorized access to OS filesystem. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Possibly Related Articles:
105695
Enterprise Security Security Awareness
SAP Security Patch Day SAP Security Notes SAP SAP POS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.