lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55794B1C.40202@erpscan.com>
Date: Thu, 11 Jun 2015 11:47:24 +0300
From: Darya Maenkova <d.maenkova@...scan.com>
To: fulldisclosure@...lists.org
Subject: [FD] SAP Security Notes June 2015

SAP <http://www.sap.com/>has released the monthly critical patch update 
for June 2015. This patch update closes a lot of vulnerabilities in SAP 
products. The most popular vulnerability is Missing Authorization Check. 
This month, three critical vulnerabilities found by ERPScan researchers 
Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.

*Issues that were patched with the help of ERPScan*

Below are the details of SAP vulnerabilities that were found byERPScan 
<http://www.erpscan.com/>researchers.

  * An XML eXternal Entity vulnerability in SAP Mobile Platform
    on-premise (CVSS Base Score:5.5).Updateis available in SAP Security
    Note2159601 <https://service.sap.com/sap/support/notes/2159601>. An
    attacker can use XML eXternal Entities to send specially crafted
    unauthorized XML requests, which will be processed by the XML
    parser. The attacker will get unauthorized access to the OS file system.
  * A Hardcoded Credentials vulnerability in SAP Cross-System Tools
    (CVSS Base Score:3.6).Updateis available in SAP Security Note2059659
    <https://service.sap.com/sap/support/notes/2059659>. An attacker can
    use hardcoded credentials for unauthorized access and perform
    various actions in the system. In addition, it is likely that the
    code will be implemented as a backdoor into the system.
  * A Hardcoded Credentials vulnerability in SAP Data Transfer Workbench
    (CVSS Base Score:2.1).Updateis available in SAP Security Note2057982
    <https://service.sap.com/sap/support/notes/2057982>. An attacker can
    use the hardcoded credentials for unauthorized access and perform
    various actions in the system. In addition, it is likely that the
    code will be implemented as a backdoor into the system.


*The most critical issues found by other researchers*

Some of our readers and clients asked us to categorize the most critical 
SAP vulnerabilities to patch them first. Companies providing SAP 
Security Audit, SAP Security Assessment, or SAP Penetration Testing 
services can include these vulnerabilities in their checklists. The most 
critical vulnerabilities of this update can be patched by the following 
SAP Security Notes:

  * 2151237 <https://service.sap.com/sap/support/notes/2151237>: SAP GUI
    for Windows has a Buffer Overflow vulnerability (CVSS Base
    Score:9.3). An attacker can use Buffer Overflow for injecting
    specially crafted code into working memory, which will be executed
    by the vulnerable application under the privileges of that
    application. This can lead to the attacker taking complete control
    over the application, denial of service, command execution, and
    other attacks. In case of command execution,attackercan obtain
    critical technical and business-related information stored in the
    vulnerable SAP-system or escalate their own privileges. As for
    denial of service, the process of the vulnerable component may be
    terminated. For this time, nobody will be able to use this service,
    which negatively influences business processes, system downtime,
    and, consequently, business reputation. It is recommended to install
    this SAP Security Note to prevent risks.
  * 2129609 <https://service.sap.com/sap/support/notes/2129609>: SAP EP
    JDBC Connector has an SQL Injection vulnerability (CVSS Base
    Score:6.5). An attacker can use SQL Injections with the help of
    specially crafted SQL queries. They can read and modify sensitive
    information from a database, execute administrative operations in a
    database, destroy data or make it unavailable. In some cases, an
    attacker can access system data or execute OS commands. It is
    recommended to install this SAP Security Note to prevent risks.
  * 1997734 <https://service.sap.com/sap/support/notes/1997734>: SAP RFC
    runtime has a Missing AuthorizationXheckvulnerability (CVSS Base
    Score:6.0). An attacker can use Missing Authorization Checks to
    access a service without any authorization procedures and use
    service functionality that has restricted access. This can lead to
    information disclosure, privilege escalation, and other attacks. It
    is recommended to install this SAP Security Note to prevent risks.
  * 2163306 <https://service.sap.com/sap/support/notes/2163306>: SAP
    CommonCryptoLib and SAPCRYPTOLIB are vulnerable to FREAK
    (CVE-2015-0204, CVSS Base Score:5.0). It allows an attacker to
    intercept HTTPS connections between vulnerable clients and servers
    and force them to use weakened encryption, which the attacker can
    break to steal or manipulate sensitive data. All the attacks on this
    page assume a network adversary (i.e. a man-in-the-middle) to tamper
    with TLS handshake messages. The typical scenario to mount such
    attacks is by tampering with the Domain Name System (DNS), for
    example via DNS rebinding or domain name seizure. This attack
    targets a class of deliberately weak export cipher suites. It is
    recommended to install this SAP Security Note to prevent risks.


*References about the FREAK vulnerability:*

  * SMACK: State Machine AttaCKs <https://www.smacktls.com/>
  * Tracking the FREAK Attack <https://freakattack.com/>
  * CVE-2015-0204
    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>


It is highly recommended to patch all those SAP vulnerabilities to 
prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for 
found vulnerabilities on theiracknowledgment page 
<http://scn.sap.com/docs/DOC-8218>.

Advisories for those SAP vulnerabilities with technical details will be 
available in 3 months onerpscan.com <http://www.erpscan.com/>.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ