SAP Cyber Threat Intelligence Report – December 2017

Thursday, December 14, 2017

Alexander Polyakov


The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • This set of SAP Security Notes consists of 19 patches with the majority of them rated medium.
  • Implementation Flaw remains the most common vulnerability type this month.
  • Researchers found a vulnerability in SAP HANA XS classic user self-service after exploring a patch for a half-year vulnerability allowing an unauthenticated user to know valid and invalid user accounts.
  • SAP re-released a patch for a 3-year-old security issue.

SAP Security Notes – December 2017

SAP has released the monthly critical patch update for December 2017. This patch update includes 19 SAP Security Notes (15 SAP Security Patch Day Notes and 4 Support Package Notes) ranging from Medium to Very High priority. 4 of all the patches are updates to previously released Security Notes.

6 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

3 of the released SAP Security Notes received a High priority rating and one, which is an update to the previously released SAP Note, was assessed at Hot news with the highest CVSS score of 9.1.


The most common vulnerability type is Implementation Flaw.


SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, one critical vulnerability identified by ERPScan’s researcher Mikhail Medvedev was closed.

  • A Log injection vulnerability in SAP HANA XS classic user self-service (CVSS Base Score: 5.3 CVE-2017-16687). Update is available in SAP Security Note 2549983. An attacker can use it to inject arbitrary data in the audit log. A large amount of illegal data can complicate the analysis of the audit log. It also can lead to a rapid filling of a disk space and damage the event log.

Other critical issues closed by SAP Security Notes in December

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2449757: SAP Additional Authentication check in Trusted RFC has an Implementation Flaw vulnerability (CVSS Base Score: 7.6 CVE-2017-16689). Trusted RFC does not require a Trusted/Trusting Relation from the system to itself. A system always trusts itself. The trust relationship maintained in SMT1 is used as a secure way to identify remote trusted systems. For calls on the same system this is not necessary as the RFC infrastructure always knows that a call came from the same system in a secure way. Install this SAP Security Note to prevent the risks.
  • 2537152: SAP BI Promotion Management Application has a Missing authorization check vulnerability (CVSS Base Score: 7.3 CVE-2017-16684). An attacker can use it for accessing a service without any authorization procedures and using the service functionality with restricted access. It results in information disclosure, privilege escalation and other cyberattacks. Install this SAP Security Note to prevent the risks.
  • 2537545: SAP BW Universal Data Integration has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.9 CVE-2017-16685). An attacker can exploit it to inject a malicious script into a page. The critical information stored and used for interaction with a web application can be accessed, and an attacker might gain access to user session and learn business-critical information or even get control over this data. In addition, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Information Disclosure vulnerability in SAP HANA XS Classic User Self-Service

Six months ago, Onapsis identified a bug that allows getting a list of users in Self-Service. The point is that it is possible for an attacker to abuse the “forgot password” functionality from different error messages and guess if a user exists or not. It was reported to SAP and a patch was released.

Afterwards, one of ERPScan’s researchers explored this fix and identified another vulnerability in the same service. The details of the vulnerability was mentioned above.

It turns out that the researcher bypassed the check simply by adding a space in a user’s name and got a response:

1 {"name":"SystemError","message":"dberror(Connection.prepareStatement): 331 - user name already exists: : line 1 col 24 (at pos 23)"}

Remote Command Execution vulnerability in Apache Struts

December’s set of SAP Security Notes addresses 4 updates to the previous fixes. One of them that is SBOP solution for Apache Struts1.x Vulnerability has a high priority rating. It is an update to the SAP security note released more than three years ago, in August 2014.

SAP patched it in a third-party product earlier and noticed the vulnerability in Apache Struts just recently. The vulnerability in Apache Struts enables an attacker to exploit the resources that are used to serve BI Launchpad, LCM, Monitoring.

SAP users are recommended to implement security patches as they are released.

Possibly Related Articles:
Enterprise Security
SAP SAP Security Patch Day SAP Security Notes SAP HANA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.