SAP Patches Clickjacking Holes

Friday, July 15, 2016 @ 08:07 AM gHale


SAP released a set of July security updates which included 10 security notes.

The largest vulnerability was a clickjacking flaw in multiple SAP frameworks and technologies, according to the advisory.

RELATED STORIES
Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched
Security: Ease the Pain …
Unsupported ICS: Not an Easy Upgrade

One of the 10 issues patched this month rated as hot news, 2 were high severity vulnerabilities and 7 were medium risk, according to a report on ERPScan, which specializes in securing SAP software.

In addition to the clickjacking hole, the company resolved two denial of service flaws, two missing authorization checks, one code injection, one cross-site scripting issue, and three other vulnerabilities across its products.

The 10 SAP Security Patch Day Notes also had 26 Support Package Notes for 36 vulnerabilities resolved in SAP’s products, ERPScan researchers said. Of the 26 Support Package Notes, 24 rated as medium risk and two had a low severity rating.

This month clickjacking dominated the Support Package Notes, as 24 of the vulnerabilities ended up patched.

Clickjacking ended up discovered by researchers Jeremiah Grossman and Robert Hansen in 2008, according to the ERPScan report. This vulnerability allows an attacker to “hijack” clicks by using multiple transparent or opaque layers. A user ends up tricked into clicking a button or a link on another page when they are intending to click on the top level page.

The hot news vulnerability in the new set of patches is a code injection issue in SAP Solution Manager, with a CVSS Base Score of 9.9. Successful exploitation would allow an attacker to inject and run their own code, obtain additional information, modify data, modify the system output, create new users with higher privileges, control the behavior of the system, escalate privileges by executing malicious code, and even perform a DoS attack.

The high risk issues include a denial of service vulnerability in SAP Sybase products with a CVSS Base Score of 7.5, and a Java Deserialization vulnerability in Adobe Interactive Forms, which has a CVSS Base Score or 7.3.