SAP releases 27 Security Notes with most severe security flaw rated at 9.4

Five SAP Security Notes rated "high priority" by ERPScan

SAP has released a total of 27 Security Notes in its April Patch Tuesday, covering a number of security flaws and patches in its enterprise resource planning (ERP) software.

And, while the majority are "missing authorisation checks", the most severe is rated at 9.4 out of ten on the severity scale by ERP software security specialists ERPScan. In total, six are rated as ‘high priority' or worse.

According to ERPScan's analysis, seven of the vulnerabilities are missing authorisation checks, four involve cross-site request forgeries, three cross-site scripting, and one buffer overflow flaw.

But the most serious, 9.4-rated flaw, was originally uncovered by ERPScan. This, the organisation claims, is a remote-code execution vulnerability in SAP TREX/BWA.

"A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command," explained ERPScan.

Two of the cross-site scripting security flaws affect SAP NetWeaver, one in which an "attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information", according to ERPScan.

The other affects the Java Archiving Framework in which an attacker can use a cross-site scripting vulnerability to inject malicious script into a page. Again, the malicious script can access cookies, session tokens and other critical information stored on the user's web browser, and critical business information potentially compromised.

Today's SAP Patch Tuesday coincides with Microsoft's regular slug of updates, which this month is smaller than average.

There are a total of 46 unique vulnerabilities being resolved, three of which have been publicly disclosed (CVE-2017-0210, CVE-2017-0199, CVE-2017-0203) and two of those have been exploited in the wild or zero days (CVE-2017-0210, CVE-2017-0199).

The release will also be the last for the unlamented Windows Vista operating system, which now goes ex-support and won't receive any further patches.

However, according to Chris Goettl, Product Manager at asset-management software vendor Ivanti, it's patches to Microsoft's Hyper-V virtualisation software that really stand out this month. "There are a lot of Hyper-V vulnerabilities this month; 14 of the 46 CVEs address vulnerabilities in Hyper-V," said Goettl.

There are also a number of zero-day security flaws that ought to be resolved, including ones highlighted in the past week by McAfee.

"There are two zero days resolved this month and one of them is for Microsoft Word (CVE-2017-0199), and the other zero day is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to convince a user to visit a compromised web site that could exploit the vulnerability.

"There is an additional zero day that was recently identified in [Microsoft's web server] IIS 6 (CVE-2017-7269). This vulnerability will not be resolved as it is in an old version of IIS that runs on Server 2003.

"More than 600,000 internet-facing servers running IIS 6.0 have the WebDAV module enabled, allowing this vulnerability to be exploited. With a Metasploit module on the way, or already out, you can bet these web servers will become targets if they are not already exploited," said Goettl.

Elsewhere, there are the inevitable updates from Adobe, and next week enterprise software giant Oracle will also issue its quarterly updates, including a critical update for Java.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!