SAP Security Notes August 18, watch out for SQL Injection
16.8.18 securityaffairs
Vulnerebility

SAP released security notes for August 18 that address dozens patches, the good news is that there aren’t critical vulnerabilities.
SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches.

“On 14th of August 18, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.

Principal type of vulnerabilities fixed by SAP security notes are SQL Injection and Information Disclosure flaws as reported in the following graph.

SAP security notes August 2018

According to the experts from ERPScan, in August Implementation Flaw and Missing Authorization Check are the largest groups in terms of the number of vulnerabilities

SAP security notes August 2018

SAP addressed nine high severity flaws, including two SQL injection vulnerabilities in SAP BusinessObjects that could be exploied by an attacker to extract information from vulnerable system.

The SQL injection issues were reported by the researchers at the security firm Onapsis that shared technical details of the flaws in a blog post.
“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.

“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”

Security experts from ERPScan also published an interesting analysis of the security patches rolled out by SAP.
ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-18-2447).

Other High severity flaws are a missing authorization check in the SAP SRM MDM Catalog (CVE-18-2449), and a memory corruption flaw in the BusinessObjects Business Intelligence platform tracked as (CVE-2015-5237) that can be exploited by attackers to run arbitrary command on the vulnerable systems.
“An attacker can use [CVE-18-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.

“An attacker can use [CVE-18-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”