Featured post

SAP Patches 17 security flaws

On Tuesday SAP released the May 2017 security update that addresses 17 vulnerabilities in its products, 9 of them were released on this Security Patch Day.
“On 9th of May 2017, SAP Security Patch Day saw the release of 9 security notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by the company.
A close look at the list of the security flaws addressed by the company shows the company fixed 5 Missing Authorization Checks and 5 Cross-Site Scripting. Additionally, SAP fixed two Implementation flaws, one XML external entity, one denial of service, one buffer overflow issue, one clickjacking, and an SQL injection vulnerability.

Below the Key takeaways published by the security firm ERPScan:
  • This set of SAP Security Notes is smaller than usual (the average number of SAP Security Notes closed every month this year equals 25, while May’s bunch of Notes contains 17 fixes).
  • 4 of the closed security loopholes affect SAP Defense Forces & Public Security. The lack of authorization vulnerabilities in this module could allow an attacker (including hacktivists and cyberterrorists) to read read, modify or delete sensitive data.
  • In the wake of proof-of-concept ransom attack via SAP GUI, the vendor released a fix addressing client-side security issues. SAP GUI for Java allowed opening of new connections from an ABAP program that can be used in multi-stage cyberattacks.
The issue with the greatest CVSS score is a Missing Authorization check in EA-DFPS utilities (2376743) rated with a Medium priority and a CVSS=6.5.
An attacker can exploit a Missing authorization check vulnerability to access a service bypassing authorization causing information disclosure, privilege escalation, and other attacks.
“Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating,” ERPScan notes.