SAP Security Notes fixes SAP POS flaw potentially affecting 500 billion installations

Pierluigi Paganini July 12, 2017

SAP has released its SAP Security Notes for July 2017 that includes 23 patches, the most severe is a SAP POS flaw that affects about 500 billion installs

SAP has released its Security Notes for July that includes 23 patches with the majority of them rated medium.

The most severe issue is a high-risk DoS vulnerability that affects SAP Point of Sale, a solution that has 500 billion installs, many of them used by retail companies from the Forbes Global 2000 list.

“On 11th of July 2017, SAP Security Patch Day saw the release of 10 security notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.

“The high priority security note 2476601 released today addresses technical issues in SAP Point of Sale (POS) Retail Xpress Server with potential disclosure at upcoming security conferences. Therefore, we wish to remind you to apply all SAP Security Notes on a priority.”

SAP POS FLAW

Experts at security firm ERPScan found multiple missing authorization checks on the server side of SAP POS Suite. The flaws can be exploited by a remote unauthenticated attacker to:

  • read/delete/write sensitive information;
  • shut down a vulnerable application;
  • monitor content displayed on a receipt window of a POS:

“11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.” states the analysis published by ERPScan.

“4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.”

SAP POS FLAW

Below are the details of the SAP vulnerability identified by the experts at the ERPScan team.

  • Multiple Missing authorization check vulnerabilities in SAP Point of Sale (PoS) (CVSS Base Score: 8.1). Update is available in SAP Security Note 2476601. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • A Missing authorization check vulnerability in SAP Host Agent (CVSS Base Score: 7.5). Update is available in SAP Security Note 2442993. An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.
  • Multiple vulnerabilities (Cross-site scripting and Cross-site request forgery) in SAP CRM Internet Sales Administration Console (CVSS Base Score: 6.1). Update is available in SAP Security Note 2478964. An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Moreover, an attacker can use a Cross-site request forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with authenticated user’s rights.

The most dangerous flaws in the SAP Security Notes July 2017 are:

  • 2453640: SAP Governance, Risk and Compliance Access Controls (GRC) has a Code injection vulnerability (CVSS Base Score: 6.5).
  • 2409262: SAP BI Promotion Management Application has an XML external entity vulnerability (CVSS Base Score: 6.1). 
  • 2398144: SAP Business Objects Titan has an XML external entity vulnerability (CVSS Base Score: 5.4).

ERPScan did not publish any technical detail to avoid public exploitation of the flaws in the wild.

Recommend that SAP customers install the patch as soon as possible.

[adorate banner=”9″]

Pierluigi Paganini 

(Security Affairs – SAP POS, hacking)

[adrotate banner=”13″]



you might also like

leave a comment