SAP Security Notes August 2012 – Review


SAP released its monthly critical patch update for August 2012 which closes 24 vulnerabilities in SAP products (one related to HOT News, which is the most critical, 16 with high priority and 7 with medium).

The following problems were found:

  • 6 information disclosures
  • 4 missing authentification checks
  • 4 XSS
  • 2 directory traversals
  • 1 code injection
  • 1 hardcoded username
  • 1 denial of service

Vulnerabilities patched in August 2012

Some of our readers and clients were asking to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:

1727914 1677291 1663732 1687334 1684632

In this patch, some architectural issues were closed together with typical loopholes like XSS and missing auth checks. Like last month, the problems are related to the XML interface but another area of XML security was covered now. SAP closes XML encryption issues in patches 1687334 and 1684632 and it is recommended to install them preventing attacks on XML interfaces. Access to XML interfaces is usually secured by the authentication but there are some interfaces which can be accessed without the authentication, for example DilbertMSG. We disclosed the issue at BlackHat so it is also a good moment to check if SAP Security Note 1707494 is installed and implement it too.

Some of the other issues were found by ERPScan researchers Alexander Polyakov and Alexey Tyurin. They are not as critical as the aforementioned ones but they should also be patched.

The detailed list of the corrected vulnerabilities is below:

  • An XML entity vulnerability in SAP BW. Update is available in SAP Security Note 1728500. The criticality level is 5.0 according to CVSS.
  • An XSS vulnerability in SAP NetWeaver. Update is available in SAP Security Note 1721309. The criticality level is 4.3 according to CVSS.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Checks for the new issues are available in ERPScan, the innovative SAP vulnerability assessment solution.

Do you want more?

Subscribe me to your mailing list