A close look at the list of the security flaws addressed by the company shows the company fixed 5 Missing Authorization Checks and 5 Cross-Site Scripting. Additionally, SAP fixed two Implementation flaws, one XML external entity, one denial of service, one buffer overflow issue, one clickjacking, and an SQL injection vulnerability.

Below the Key takeaways published by the security firm ERPScan:

• This set of SAP Security Notes is smaller than usual (the average number of SAP Security Notes closed every month this year equals 25, while May’s bunch of Notes contains 17 fixes).
• 4 of the closed security loopholes affect SAP Defense Forces & Public Security. The lack of authorization vulnerabilities in this module could allow an attacker (including hacktivists and cyberterrorists) to read read, modify or delete sensitive data.
• In the wake of proof-of-concept ransom attack via SAP GUI, the vendor released a fix addressing client-side security issues. SAP GUI for Java allowed opening of new connections from an ABAP program that can be used in multi-stage cyberattacks.

The issue with the greatest CVSS score is a Missing Authorization check in EA-DFPS utilities (2376743) rated with a Medium priority and a CVSS=6.5.

“Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating,” ERPScan notes.

Just for statistics, 17 is the lowest number of monthly issues over the past six months.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – application security , hacking)

[adrotate banner=”13″]