SBN

SAP Cyber Threat Intelligence report – May 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest SAP security vulnerabilities and threats.

Key takeaways

  • This set of SAP Security Notes consists of 15 patches and the majority of them rated medium.
  • The most common vulnerability types are Missing authorization check and Denial of service.
  • The most vulnerable SAP service of the current release is Internet Graphics Server (IGS) having four out of 15 security issues.
  • SAP informs the customers that the security notes 2616599 and 2615635 released on May Patch Day are expected to be topics of discussion at an upcoming security conference in June.

SAP Security Notes – May 2018

SAP has released the monthly critical patch update for May 2018. This patch update closes 15 SAP Security Notes (10 SAP Security Patch Day Notes and 5 Support Package Notes).

SAP Security Notes Distribution by Priority (December 2017–May 2018)

Two of all the patches are updates to the previously released Security Notes.

One of all the notes is released after the second Tuesday of the previous month and before the second Tuesday of this month.

Among the most common vulnerability types are Missing authorization check and Denial of service.

SAP Security Notes Distribution by Vulnerability Types – May 2018

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.

Critical issues closed by SAP Security Notes in May

The most serious vulnerabilities of this update can be patched with the help of the following SAP Security Notes:

  • 2615635: SAP Internet Graphics Server (IGS) has a security vulnerability (CVSS Base Score: 6.5 CVE-2018-2420 ). An attacker can upload any file, use Cross-site scripting vulnerability for injecting a malicious script into a page.
    Reflected XSS feature is necessary to trick a user – he or she would make the user to follow specially crafted link. In terms of stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
    The malicious script can access all cookies, session tokens and other critical information stored by browser and used for interaction with a site. The attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. In addition, XSS can be used for unauthorized modifying of displayed site content.
    Install this SAP Security Note to prevent the risks.
  • 2610231: SAP MaxDB ODBC Driver has an Code Injection vulnerability (CVSS Base Score: 5.5 CVE-2018-2418). Depending on the code, attacker can inject and run their own code, obtain additional information that should not be displayed, modify or delete data, change the output of the system, create new users with higher privileges, control the behavior of the system, or can escalate privileges by executing malicious code and even perform a DoS attack.
    Install this SAP Security Note to prevent the risks.
  • 2620744: SAP Internet Graphic Server (IGS) RFC listener has a Code Injection vulnerability (CVSS Base Score: 5.3 CVE-2018-2423 ). An attacker can use Denial of service vulnerability for terminating the process of vulnerable component. For this time, nobody can use this service, this fact negatively influences business processes, system downtime and business reputation as result.
    Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

The post SAP Cyber Threat Intelligence report – May 2018 appeared first on ERPScan.