SAP Security Notes August 2018, watch out for SQL Injection

SAP released security notes for August 2018 that address dozens patches, the good news is that there aren’t critical vulnerabilities.

SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches.

“On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.

Principal type of vulnerabilities fixed by SAP security notes are SQL Injection and Information Disclosure flaws as reported in the following graph.

According to the experts from ERPScan, in August Implementation Flaw and Missing Authorization Check are the largest groups in terms of the number of vulnerabilities

SAP addressed nine high severity flaws, including two SQL injection vulnerabilities in SAP BusinessObjects that could be exploied by an attacker to extract information from vulnerable system.

The SQL injection issues were reported by the researchers at the security firm Onapsis that shared technical details of the flaws in a blog post.

“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.

“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”

Security experts from ERPScan also published an interesting analysis of the security patches rolled out by SAP.

ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447).

Other High severity flaws are a missing authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform tracked as (CVE-2015-5237) that can be exploited by attackers to run arbitrary command on the vulnerable systems.

“An attacker can use [CVE-2018-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.

“An attacker can use [CVE-2018-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – SAP, Security Notes)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.