- CSB Makes Business Case for Safety
- Design Flaws Led to KS Toxic Chem Release
- Tank Blast: Pressure Boundary Failed
- Wecon Mitigates HMI Editor Holes
- Schneider Working on Modicon, SoMachine Holes
- Schneider Updates Controller Fix
- ICSJWG: New Reality for Safety, Security
- ICSJWG: Malware Having ICS Impact
Chemical Safety Incidents
SAP Patches Vulnerabilities
Wednesday, March 15, 2017 @ 11:03 AM gHale
SAP released its monthly security updates to address problems, which include five vulnerabilities in SAP HANA.
The March SAP Security Patch Day includes 25 security notes, SAP said.
Additionally, there were two updates to previously released security notes, totaling 27 SAP Security Notes released. One Security Note has a Very High priority rating, while other 7 rated High severity.
The patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes), with 4 of the Notes released after the second Tuesday of the previous month, and 7 Notes being updates to previously released Security Notes, according to ERPScan, a company that specializes in securing SAP and Oracle applications.
The most important of the issues addressed this month was a Missing Authorization Check vulnerability in the SAP HANA User Self-Service. With a CVSS score of 9.8 (Very High), this critical bug could allow an attacker to take control of the affected system, SAP’s Holger Mack said in a blog post.
The Self Service tool for SAP HANA provides the option to activate features such as password change, forgotten password reset, or user self-registration. The Hot News vulnerability could allow an unauthenticated attacker to impersonate other users, even those of high privileged accounts, said researches at security technology firm Onapsis. The attacker could take full control of the SAP HANA platform remotely.
SAP, however, said the issue only affects customers who enabled the optional User Self Service component (it is disabled by default) and exposed it to an untrusted network. “The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure),” Mack said.
With a CVSS score of 8.8 (High risk), the second most important flaw addressed also affected SAP HANA. That issue was a session fixation vulnerability in SAP HANA extended application services, classic model. By exploiting it, an authenticated attacker could predict valid session IDs for concurrent users logged on to the system.
The remaining three vulnerabilities in SAP HANA also ended up discovered by Onapsis: two SQL Injection vulnerabilities with a CVSSv3 Base Score of 2.7, and an information disclosure in SAP HANA Cockpit for offline administration, with a CVSSv3 Base Score of 4.9.