On December 15, SAP released its set of security patches for December 2016, the last one for 2016.
In a nutshell
The set of patches includes 20 Patch Day Security Notes, 2 updates for previously released Notes and 9 Notes released out of the schedule (i.e. after the second Tuesday of the previous month and before the second Tuesday of this month).
The highest CVSS score of the closed vulnerabilities is 7.3. The largest part of the Notes are assessed as Medium (22), 5 were rated Low Priority and 4 are High Priority.
Information disclosure, missing Authorization check, XSS, implementation issues, authentication bypasses, directory traversal, clickjacking, and other types of vulnerabilities were addressed.
Vulnerabilities in SAP for Defense & Security
SAP provides industry-specific software aimed to address requirements for a particular type of business. Unfortunately, these solutions are vulnerable as well. For example, vulnerabilities were identified in software for Banking, Retail, Utilities, and so on. This month, 3 vulnerabilities in SAP for Defense Forces & Public Security were closed.
SAP for Defense Forces & Public Security is a solution intended for armed forces, police, and aid organizations. It provides the following functions:
- Mapping organizational structures and material and personnel resource planning
- Accounting and Funds Management
- Materials Management
- Support for Flight Operations
The solution portfolio consists of 3 software components:
- The Defense Forces & Public Security (DFPS) component is part of SAP ERP and provides additional functions needed for defense and public security.
- SAP Mobile Defense & Security (SAP MDS) enables mobile functionality.
- SAP Military Data Exchange (SAP MDE) provides off-the-shelf force management capabilities that enable interoperability with Command and Control Information Systems (CCIS) and NATO Functional Area Services (FAS).
The closed issues affect 2 of the existing components, namely The Defense Forces & Public Security (2376998 and 2377067) and SAP Mobile Defense & Security (2374749). Both are susceptible to a Missing Authorization check. An issue potentially allows an attacker to read, modify or delete data access to which is restricted. As we deal with the defense industry, the information can be critical in terms of International security. The effect of even such low-impact vulnerability could be devastating when it comes to armed forces.
In overall, there were 9 SAP Security Notes to fix issues in the solution (including ones released this month). Vulnerability in mobile functionality of the portfolio was fixed for the first time.
SAP Vulnerabilities of 2016 in review
As the vendor releases the patches on the monthly basis, the December’s one is the last for the outgoing year, it’s time to reflect on the state of SAP Products Security in 2016. To keep it short, we decided to focus on 3 main criteria.
The number of patches has slightly grown (5%) compared to 2015 and totals 315.
Despite, the number of patches rated “Hot News” (the highest priority according to SAP’s classification) is not so big and equals to 9. The majority of Notes were Medium Priority (215, or 68%), following by High priority (74) and Low priority (17) patches.
The most common vulnerability types are XSS (119), Missing Authorization Check (80), and different kinds of implementation flaws (51). The first two categories do not raise any questions as these vulnerabilities are traditional leaders among SAP Systems vulnerabilities (see SAP Cyber Threat Report 2016). As regard the latter, Security Notes titled “Switchable authorization check” released in October constitute the largest part of this category (25). It’s also notable that this year the vendor paid its attention to Clickjacking vulnerabilities and closed 26 such issues.