Pierluigi Paganini October 10, 2019

SAP addressed two critical vulnerabilities (Hot News) as part of the October 2019 Security Patch Day.

SAP has released its October 2019 Security Patch Day updates that also address two critical vulnerabilities (Hot News) with CVSS scores of 9.3 and 9.1.

The October 2019 Security Patch Day also includes a High Priority Note addressing Binary Planting vulnerability.

“With only nine new and one updated Security Note, SAP has published an unusually low number of Security Notes for October 2019.” reads the analysis published by security firm Onapsis. “This is the lowest number of newly published notes in the past five years. Nevertheless, with 2 HotNews Notes and one High Priority Note, this Patch Day deserves special attention as an attacker needs only one vulnerability for a successful attack.”

The most severe SAP Security Note is #2826015, a Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration. The vulnerability, tracked as CVE-2019-0379, could be exploited by remote attackers to steal or manipulate sensitive data, it could also provide attackers with access to administrative and other privileged functionality.

“The adapter specifies a comprehensive set of data security features, specifically data confidentiality and data authenticity, which are aimed at the B2B commerce environment. The configuration of the AS2 adapter allows two different security providers.” reads the analysis published by Onapsis. “Depending on the selected provider, a Missing Authentication vulnerability exists that can lead to sensitive data theft or data manipulation as well as to access to administrative and other privileged functionalities.”

The vulnerability received a CVSS score of 9.3.

The second Hot News (SAP Security Note #2828682) addresses a flaw tracked as CVE-2019-0380, it is an information disclosure flaw in SAP Landscape Management enterprise edition. the flaw affects version 3.0 and received a CVSS score of 9.1.

“SAP Security Note #2828682 talks about a risk of information disclosure if these custom parameters fulfill specific conditions. SAP describes the overall conditions for the existence of the vulnerability as “uncommon”.  “

The vulnerability is related to the custom parameters that can be added by users to providers assigned to custom operations.

SAP also addressed a Binary Planting vulnerability in several SAP software products, including Anywhere, SAP IQ and SAP Dynamic Tiering. The flaw tracked as CVE-2019-0381 resides in the file search algorithm of the affected products, it received a CVSS score of 7.8.

“The algorithm searches too many directories, even if they are out of the application scope.” Onapsis explains. “Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation.”

SAP also addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products, rated as medium, including one in Customer Relationship Management (CVE-2019-0368), and multiple issues in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378),

The full list of the addressed issues in SAP Security Patch Day – October 2019 is available here.

Pierluigi Paganini

(SecurityAffairs – SAP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]