SAP has released the monthly critical patch update for April 2016. This patch update closes 26 vulnerabilities in SAP products including 19 SAP Security Patch Day Notes and 7 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
10 of all closed SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5.
Most of the discovered vulnerabilities belong to the SAP ABAP applications security.
The most common vulnerability type is Missing authorization check.
This month, 5 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Dmitry Yudin, and Vahagn Vardanyan were closed.
How 2 DoS vulnerabilities can allow full system compromise
Two of the off-schedule patches addressing Denial of Service vulnerabilities discovered by Dmitry Yudin ( and ) were released on March, 14. On March,16 at the Troopers Security conference ERPScan director of SAP cyber security services Dimitry Chastuhin showed how to execute code remotely using these 2 DoS, one configuration mistake, and race condition vulnerability.
His presentation titled “Exploiting the unexploitable” proved that even low-impact vulnerabilities can be used together to gain full administrative access to the system. Since patching process on a real SAP landscape is time-consuming and costly, the idea to fix only the most dangerous security issues seems rather tempting, but, as we can see, completely insecure.
According to responsible disclosure rules, we can’t give any details of this attack vector before 90 days after disclosure.
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.
- A Denial of service vulnerability in SAP Enqueue Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2258784. An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime and business reputation.
- A Denial of service vulnerability in SAP Internet Communication Manager (CVSS Base Score: 7.5). Update is available in SAP Security Note 2256185
- A Denial of service vulnerability in SAP jstart (CVSS Base Score: 7.5). Update is available in SAP Security Note 2259547.
- An XML external entity vulnerability in SAP UDDI (CVSS Base Score: 7.1). Update is available in SAP Security Note 2254389. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem.
- A Cross-site scripting vulnerability in SAP UR Control (CVSS Base Score: 6.1). Update is available in SAP Security Note 2201295. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s research.
Other critical issues closed by SAP Security Notes April 2016
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2262710: SAP HANA DP Agent has a Denial of service vulnerability (CVSS Base Score: 7.5 ). An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and business reputation. Install this SAP Security Note to prevent the risks.
- 2262742: SAP HANA DP Agent has a Missing authorization check vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Missing authorization check vulnerability to access a service without authorization and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2252191: SAP HANA XS Advanced Java Runtime has a Remote command execution vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Remote command execution vulnerability to execute commands remotely without authorisation. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities ontheir acknowledgment page.