SAP's latest series of security patches includes on critical vulnerability that puts every client terminal running SAP at risk.
The security vulnerability is so serious that the company that discovered, ERP software security specialists ERPScan, has promised to hold-off on describing it until later this month when SAP users should have finished rolling out the latest patches.
While many SAP vulnerabilities are not relevant to most users as most don't run the modules affected, the security vulnerability in the SAP GUI client is run universally.
A patch for the vulnerability is one of a series of critical patch updates for March 2017 that SAP has rolled out this week, with eight carrying a ‘high priority' rating and one patched vulnerability rated at 9.8 on the Common Vulnerability Scoring System (CVSS).
The number of users at risk from SAP GUI client vulnerability has put put in the millions by ERPScan.
"The vulnerability enables attackers to gain unfettered control over endpoint devices where the SAP GUI application is installed. We are currently under embargo and can't disclose full details about the vulnerability until SAP users have had the opportunity to install the patch," warned Vahagn Vardanyan, the ERPScan researcher who identified the vulnerability.
"Unfortunately, this process is rather laborious and time-consuming as, in many cases, it requires the patch to be applied to every vulnerable endpoint," he added.
That vulnerability is rated at an eight on the CVSS scale. The most serious vulnerability, according to its CVSS rating of 9.8, affects the SAP HANA User Self Service module, which contains a missing authorisation check vulnerability.
"An attacker can use a ‘missing authorisation check' vulnerability to access the service without authorisation and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks," warned ERPScan founder and chief technology officer Alexander Polyakov.
He added, though, that although many of the vulnerabilities might be critical, the likelihood of large-scale exploits being developed is low as most will not be installed - with the SAP GUI client vulnerability a notable exception that organisations should patch as a matter of urgency.
"The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan)," said Polyakov.
He continued: "There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia."
The patch release is SAP's biggest for 2017 so far, and also the biggest since October.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance