​Reviewing first SAP Security update in 2017

On 9th of January, SAP released its first set of security fixes (SAP Security Notes) for the year 2017.

On the second Tuesday of January, 23 SAP Security Notes saw the release. The batch of patches includes 19 Patch Day Security Notes (the term is used for fixes released on the second Tuesday of a month) and 4 Notes published after the second Tuesday of a previous month and before the second Tuesday of a current month.

One of the Note was assessed as Hot News, or very critical, as it was rated 9.8 of 10 by CVSS base score v. 3.0.

The released fixes resolves such security issues as Missing Authorization Checks, XSS, Directory traversals, SQL Injections, Implementation flaws, Denial of service, information disclosure, XXE, and Buffer overflow.


Of note, 5 the most common vulnerability types of this patch update correspond with the most widespread SAP vulnerabilities in general. Namely, there are Cross-site scripting, Missing authorization checks, Directory traversals, Configuration flaws, and SQL injections (according to SAP Cyber Security in Figures. Global Threat Report).

Vulnerability type

Prevalence in SAP in mid -2016

Prevalence in SAP in mid- 2014

Prevalence in SAP till mid-2013

1 - XSS

1

1

1

2 - Missing authorization check

2

2

2

3 - Directory traversals

3

3

3

4 - Configuration issues

4

4

-

5 – SQL Injections

5

5

4

In this review, I would like to focus on two SAP Security Notes 2389042 (DoS in SAP SSO) and 2407862 (Multiple buffer overflows in SAP Sybase Asset Management).

About Denial of service vulnerability in SAP Single Sign-On

SSO (Single Sign-On) allows using one set of login credentials instead of numerous sets of passwords to access multiple applications. As multiple passwords are likely to be weak, reused, or written down somewhere, SSO hardens system security and protects sensitive company and personal data.

SAP states that its SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).

Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. For example, a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP) were discovered and then closed by the vendors.

This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, which would prevent legitimate users from accessing all linked applications.

About Multiple buffer overflows vulnerabilities in Flexera FlexNet Publisher

Sybase Software Asset Management (SySAM) includes Flexera FlexNet Publisher software, which is vulnerable to multiple buffer overflow issues (CVE-2015-8277). The vulnerabilities were rated 9.8 by CVSS Base Score.

The FlexNet License Manager is built into many different Software products to manage licenses is vulnerable to a stack based buffer-overflow. The exploit doesn’t require any authentication and may lead to Remote Code Execution depending on an application. For example, code execution was gained against a product with ASLR, DEP, and stack cookies running on a Windows 7 system in a lab environment.

As for SAP Sybase, the related SAP Note doesn’t detail the effect, however, such metrics as Impact to Availability, Integrity, and Confidentiality were assessed as High.




Join the CSO newsletter!

Error: Please check your email address.

Tags Flexera Softwaresecurity updatesSSOSAP Australiasap 2017patch securitycyber security

More about FlexeraNewsPeopleSoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alexander Polyakov

Latest Videos

More videos

Blog Posts

Market Place