On August 8, SAP resolved 19 software vulnerabilities in its monthly critical patch update. The majority of them rated medium, and there are no Very High priority (Hot News) ones; nonetheless, they are worth our attention since the exploitation of any flaw could have a dramatic impact on the victims. Therefore, we recommend that you read the full SAP Cyber Threat Intelligence report for August 2017.
Since we can’t patch all of the vulnerabilities at once, it’s better to prioritize them. The most critical security drawbacks in August 2017 are presented in SAP CRM and SRM.
Customer Relationship Management (CRM) and Supplier Relationship Management (SRM) are considered among the most widespread and essential business applications. According to the ERP Cybersecurity Survey 2017, 55% of respondents included CRM and 18% regarded SRM as the most critical asset, since these modules store and process a wide range of sensitive data from the list of customers to pricing information.
A bitter fact is that the applications contain plenty of loopholes. A total of 393 SAP Security Notes address vulnerabilities in SAP CRM and 112 – in SAP SRM. This month, 3 SAP Notes belong to the SAP CRM application area and one – to SRM.
However, not only the number of security holes, but also their criticality and business impact matter in terms of the enterprise cybersecurity posture. The exploitation of some issues from a perpetrator’s side threatens organizations with sabotage, espionage, and fraud. Here are the few examples.
- CRM Client data theft (Espionage)
Unauthorized access to SAP CRM constitutes a threat to information about client lists, prices, contact points etc. If compromised this data can be used by competitors to win over customers with lower priced bids and over a long term ruin the whole business.
- CRM Reputational risks (Sabotage)
Unauthorized changes in SAP CRM can negatively impact relationships with customers. The possible outcomes are contract execution delays, substituted business correspondence or even revised contract terms.
- SRM Competitors intelligence (Espionage)
Having access to SAP SRM systems unfair competitors can find there all the data about the prices and use it to reconsider their own pricing so as to win a tender.
- SRM Undermining reputation (Sabotage)
For example, below see the details of vulnerabilities identified in SAP CRM and SRM:
- An SQL Injection vulnerability in SAP CRM WebClient User Interface (CVSS Base Score: 6.3) can permit a remote attacker to send a special request and steal customer data therefore carry out corporate espionage.
- Numerous vulnerabilities (Cross-Site Scripting and Information Disclosure) in SAP SRM Live Auction Application (CVSS Base Score: 6.1). XSS helps to access critical information used for interaction with a web application, and get control over business-critical information and modify the displayed content without authorization. The Information Disclosure vulnerability allows revealing additional info to plan further attacks.
- A Cross-Site Scripting vulnerability in SAP CRM IPC Pricing and XSS vulnerability in SAP CRM WebClient UI (CVSS Base Score: 6.1) make it possible to inject a malicious script into a page and hijack the sensitive data.
SAP customers are encouraged to check the monthly update and apply security updates as soon as possible to protect their systems.