Millions of SAP users at risk from critical vulnerability in SAP GUI client

Number and severity of security issues in SAP's latest 'patch Tuesday described as "worrisome" by security experts

SAP has released a series of critical patch updates for March 2017 that include a total of 35 security notes, with eight carrying a ‘high priority' rating and one patched vulnerability rated at 9.8 on the Common Vulnerability Scoring System (CVSS).

One of the most critical vulnerabilities is in the SAP GUI client, which is installed on every SAP user workstation, putting the number of potential attack vectors into the millions, according to ERP security specialists ERPScan.

"The vulnerability enables attackers to gain unfettered control over endpoint devices where the SAP GUI application is installed. We are currently under embargo and can't disclose full details about the vulnerability until SAP users have had the opportunity to install the patch," warned Vahagn Vardanyan, the ERPScan researcher who identified the vulnerability.

"Unfortunately, this process is rather laborious and time-consuming as, in many cases, it requires the patch to be applied to every vulnerable endpoint," he added.

That vulnerability is rated at an eight on the CVSS scale. The most serious vulnerability, according to its CVSS rating of 9.8, affects the SAP HANA User Self Service module, which contains a missing authorisation check vulnerability.

"An attacker can use a ‘missing authorisation check' vulnerability to access the service without authorisation and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks," warned ERPScan founder and chief technology officer Alexander Polyakov.

He added, though, that although many of the vulnerabilities might be critical, the likelihood of large-scale exploits being developed is low as most will not be installed - with the SAP GUI client vulnerability a notable exception that organisations should patch as a matter of urgency.

"The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan)," said Polyakov.

He continued: "There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia."

The patch release is SAP's biggest for 2017 so far, and also the biggest since October.