SAP Cyber Threat Intelligence report – October 2017
The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.
- This set of SAP Security Notes consists of 30 patches with the majority of them rated medium.
- A critical DoS vulnerability was found in SAP Enqueue service allowing to shut operations down, around 3000 of services are exposed to the internet.
- SAP Mobile Platform vulnerabilities are on the rise, 4 issues in different components of SAP Mobile infrastructure were patched.
SAP Security Notes – October 2017
SAP has released the monthly critical patch update for October 2017. This patch update includes 30 SAP Security Notes (17 SAP Security Patch Day Notes and 13 Support Package Notes). 9 of all the patches are updates to previously released Security Notes.
15 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 7.7.
The most common vulnerability type is Information Disclosure.
DoS vulnerability in Enqueue service
One of the most critical loopholes fixed this month is a Denial of Service vulnerability in SAP Standalone Enqueue Server found by ERPScan researchers. This issue can be exploited by hackers in order to shut the business processes down, therefore compromising the company (the details are provided below).
After a today’s brief scan, ERPScan’s Research and Threat Intelligence Team has identified around 3000 instances of SAP systems with Enqueue service available online that pose a high risk of cyberattacks. The majority of these services are located in North America.
This is one of the most widespread SAP vulnerability this year so far.
SAP Mobile platform vulnerabilities
Nowadays companies tend to use more business applications and constantly involve mobile devices in their core business processes.
SAP like any other large vendor is also evolving towards greater mobility, therefore provides solutions for mobile users to interact with business applications.
SAP Mobile Platform (or SMP) is a mobile enterprise application platform solution designed to monitor and manage applications installed on mobile phones and access business data.
The “mobilization” opened unintentional doors to all the evil that comes along with integration and security. The purpose of SMP is providing business data to mobile devices with the enterprise cybersecurity.
This month, 4 issues in different components of SAP Mobile infrastructure were patched. Among them are 3 Information Disclosure vulnerabilities in SAP NetWeaver Mobile Client and one possible leakage of sensitive data in SAP Mobile Platform SDK. The vulnerabilities allow gaining access to critical data stored on mobile devices that use SAP NetWeaver mobile client such as passwords, keys and other sensitive information.
SAP users are recommended to implement security patches as they are released.
Issues that were patched with the help of ERPScan
This month, one critical vulnerability identified by ERPScan’s researcher Vahagn Vardanyan was closed.
Below are the details of the SAP vulnerability, which was identified by ERPScan team.
- A Denial of Service vulnerability in SAP Standalone Enqueue (CVSS Base Score: 7.5). Update is available in SAP Security Note 2476937. An attacker can use it to terminate a process of a vulnerable component. Nobody can use this service for this time. This fact negatively influences business processes, system downtime, and business reputation as a result.
Other critical issues closed by SAP Security Notes October
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2511453: SAP Mobile Platform SDK 3.0 has an Information Disclosure vulnerability (CVSS Base Score: 6.9). An attacker can exploit it for revealing additional information (system data, debugging information, etc.) that will help to learn about a system and to plan further attacks. Install this SAP Security Note to prevent the risks.
- 2517501: SAP ERP Funds Management Account Assignments has an Implementation flaw vulnerability (CVSS Base Score: 6.3). Depending on the problem, an implementation flaw can cause unpredictable behavior of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase system stability. Install this SAP Security Note to prevent the risks.
- 2236258: Adobe Document Services has an XML external entity vulnerability (CVSS Base Score: 5.5). An attacker can use it to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorised access to OS file system. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.