SAP Cyber Threat Intelligence Report – February 2018

Friday, February 16, 2018

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • The second set of SAP Security Notes in 2018 consists of 26 patches with the majority of them rated medium.
  • Missing authorization check is the most common vulnerability type this month, again.

SAP Security Notes – February 2018

SAP has released the monthly critical patch update for February 2018. This patch update closes 26 SAP Security Notes (14 SAP Security Patch Day Notes and 12 Support Package Notes). 7 of all the patches are updates to previously released Security Notes.

14 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Five of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.

SAP Security Notes Distribution by Priority (September 2017-February 2018)

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by Vunerability Types – February 2018

SAP users are recommended to implement security patches as they are released.

Issues that were patched with the help of ERPScan

This month, three critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov were closed.

You can find their details below.

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

Critical issues closed by SAP Security Notes in February

The most dangerous vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2525222: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.3 Unrestricted File Upload - CVE-2018-2395, DoS CVE-2018-2394, CVE-2018-2396, CVE-2018-2391, CVE-2018-2390, CVE-2018-2386, CVE-2018-2385, CVE-2018-2384, XXE CVE-2018-2393, CVE-2018-2392, Log Injection CVE-2018-2389, Information Disclosure CVE-2018-2382, CVE-2018-2387). Depending on the vulnerability, attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks.
  • 2589129: SAP HANA Extended Application Services has an Security vulnerabilities  (CVSS Base Score: 7.1 CVE-2018-2374, CVE-2018-2375, CVE-2018-2376, CVE-2018-2379, CVE-2018-2377, CVE-2018-2372, CVE-2018-2373). An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2562089: SAP ABAP File Interface has a Directory Traversal vulnerability  (CVSS Base Score: 6.6 CVE-2018-2367). An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Possibly Related Articles:
39155
Enterprise Security
SAP Security Patches SAP Security Patch Day SAP Security Notes
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.