SAP releases monthly patch update closing 36 vulnerabilities - two rated 'high priority'

Enterprise applications giant finally gets round to dealing with 'clickjacking' vulnerabilities

SAP has released its monthly critical patch update, which will close 36 vulnerabilities, two of which have a high-priority rating.

One of the security bugs that SAP has finally got around to fixing - after eight years, according to ERP software security company ERPScan - is a clickjacking vulnerability, which SAP is squashing with 24 updates.

This vulnerability enables an attacker to "hijack" user clicks by using multiple transparent or opaque layers. A user is tricked into clicking a button or a link on another page when they intend to click on the top-level page.

"Although the vulnerability type is eight years old and can be fixed without difficulty, it is quite common and threatens various websites and domains. One of the ways of preventing clickjacking attacks is using a proper X-Frame-Options HTTP. This measure doesn't require a lot of work from a vendor of a web-based application," claims ERPScan in its advisory.

"In 2001-2015, SAP released only two SAP Security Notes addressing the issue, while this monthly patch update contains 24 fixes for this vulnerability," it continues.

SAP is also closing three security holes identified by ERPScan researchers Dmitry Yudin, Mathieu Geli, and Vahagn Vardanyan.

These include a denial-of-service vulnerability in SAP Sybase database products; a denial-of-service vulnerability in the SAP Enterprise Portal: Federated Portal Network; and a buffer overflow vulnerability in the SAP Startup Service.

The last of these three is potentially potent: "An attacker can use a buffer overflow vulnerability to inject specially crafted code into a working memory. The code will be executed by a vulnerable application. Executed commands will run with the same privileges as a service that executed the command.

"This can lead to taking complete control of an application, denial of service, command execution, and other attacks. In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for a privilege escalation attack... terminating a process of a vulnerable component is possible," explains ERPScan.

Possibly the most dangerous security flaw that SAP is addressing is a code-injection vulnerability in the SAP Solution Manager. "Depending on the code, an attacker can inject and run their own code, obtain additional information which should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even perform a DoS attack," advised ERPScan.