March 2018 SAP Security Patch Day addresses decade-old vulnerabilities

SAP released March 2018 SAP Security Patch Day that addresses High and Medium priority vulnerabilities in its products, including three decade-old issues in SAP Internet Graphics Server.

March 2018 SAP Security Patch Day includes 10 Security Notes, three rated High priority and 7 rated as Medium priority.

The company also released 17 Support Package Notes, 11 of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

“SAP has released the monthly critical patch update for March 2018. This patch update closes 27 SAP Security Notes (10 SAP Security Patch Day Notes and 17 Support Package Notes). 4 of all the patches are updates to previously released Security Notes. reads the analysis published by security firm ERPScan.

“11 of all the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

6 of the released SAP Security Notes received a High priority rating, two was assessed at Low, and 19 fixes were rated medium.”

Of all 27 SAP Security Notes, 6 have a High priority rating and 19 are rated Medium priority. 4 of all the patches are updates to previously released Security Notes.

The most common vulnerability type continues to be Missing authorization check since January 2018.

The most severe of the Security Notes addresses three decade-old vulnerabilities in SAP Internet Graphics Server (IGS) and received a CVSS Base Score: 8.8 with a High priority rating.

The flaws include CVE-2004-1308 (memory corruption), CVE-2005-2974 (denial of service), and CVE-2005-3350 (remote code execution)  and impact third-party open source libraries that handle images (libtiff, giflib and libpng).

“The most dangerous vulnerabilities of this update can be patched with the following SAP Security Notes:

2538829: SAP Internet Graphics Server (IGS) has an Security vulnerabilities (CVSS Base Score: 8.8 Memory corruption – CVE-2004-1308, DoS CVE-2005-2974, RCE CVE-2005-3350). Depending on the vulnerability, attackers can exploit a Denial of service vulnerability for terminating a process of vulnerable component. Nobody can use this service. This fact has a negative influence on business processes and business reputation as result. Install this SAP Security Note to prevent the risks.” continues the analysis. 

The ERPScan’s researcher Mathieu Gel helped SAP in identifying a critical Information Disclosure vulnerability in SAP BPA BY REDWOOD (CVSS Base Score: 7.5 CVE-2018-2400).

The flaw could be exploited by an attacker to reveal additional information (e.g. system data, debugging information, etc.) that aids in learning about a system and planning more severe attacks.

March 2018 SAP Security Patch Day also addressed a High-risk information disclosure flaws in SAP HANA capture & replay trace file (CVE-2018-2402 – CVSS Base Score: 7.6).

Further details are available in the analysis published by ERPScan.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SAP, March 2018 SAP Security Patch Day)

[adrotate banner=”5″]

[adrotate banner=”13″]