SAP’s August 2015 critical patch update closes 22 vulnerabilities in SAP products, with 15 having high priority.
Security specialist ERPscan recommends applying all patches to secure SAP systems as soon as possible, but has also identified the most critical vulnerabilities that should take priority. The Security Notes these relate to are:
- 2037304: SAP ST-P has a Remote Command Execution vulnerability, allowing an attacker to run commands remotely with the privileges of the service that executes them. This will allow access to arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files.
- 2169391: SAP NetWeaver AFP Servlet has a Reflected File Download vulnerability, a web attack vector that enables attackers to gain complete control over a victim’s machine.
- 2175928: SAP HANA has a Running Process Remote Termination vulnerability, which can be used to terminate the process of a vulnerable component. This prevents users from accessing the service, which has a negative impact on business processes, system downtime, and business reputation.
- 2165583: SAP HANA has an incorrect system configuration vulnerability. SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place – endangering system availability, data confidentiality and integrity.
Other vulnerabilities that were discovered by ERPscan researchers and patched in this update include an XML eXternal Entity vulnerability in SAP Mobile Platform 2.3 (SAP Security Note 2152227), an XML eXternal Entity vulnerability in SAP NetWeaver Portal (SAP Security Note 2168485), and an XSS vulnerability in SAP Afaria 7 (SAP Security Note 2152669).
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
European analyst firm KuppingerCole has also recently published a guide to SAP security, Leadership Brief: SAP Security Priorities – Identifying the priorities for securing your SAP infrastructure and maintaining appropriate security is a continuous business and governance challenge.
This guide provides recommendations on how decision-makers can properly define their SAP security strategy, including going beyond segregation of duties to take a 360-degree view of security.
“SAP Security covers all aspects of enterprise security from the system and network level to user and access management, the business processes and their respective governance. Maintaining proper security for such a vital IT infrastructure requires a 360-degree approach for baseline security,” the report said.
The guide can be found at KuppingerCole’s website.
