*SAP Security Notes July 2015*

SAP <http://www.sap.com/>has released the monthly critical patch update 
for July 2015. This patch update closes a lot of vulnerabilities in SAP 
products, some of them belong in the SAP HANA security area. The most 
popular vulnerability is Missing Authorization Check. This month, one 
critical vulnerability found by ERPScan researcher Alexander Polyakov 
was closed.

*Issues that were patched with the help of ERPScan*


Below are the details of SAP vulnerabilities that were found by ERPScan 
<http://www.erpscan.com/> researchers.


  * A Missing Authorization Check vulnerability in SAP XML Data
    Archiving Service (CVSS Base Score: 3.5). Update is available in SAP
    Security Note 1945215
    <https://service.sap.com/sap/support/notes/1945215>. An attacker can
    use Missing Authorization Checks to access a service without any
    authorization procedures and use service functionality that has
    restricted access. This can lead to an information disclosure,
    privilege escalation, and other attacks.

*
*

*The most critical issues found by other researchers*


Some of our readers and clients asked us to categorize the most critical 
SAP vulnerabilities to patch them first. Companies providing SAP 
Security Audit, SAP Security Assessment, or SAP Penetration Testing 
services can include these vulnerabilities in their checklists. The most 
critical vulnerabilities of this update can be patched by the following 
SAP Security Notes:


  * 2180049 <https://service.sap.com/sap/support/notes/2180049>: SAP ASE
    XPServer has a Missing Authorization Check vulnerability (CVSS Base
    Score: 9.3). An attacker can use Missing Authorization Checks to
    access a service without any authorization procedures and use
    service functionality that has restricted access. This can lead to
    information disclosure, privilege escalation, and other attacks. It
    is recommended to install this SAP Security Note to prevent risks.


  * 1952092 <https://service.sap.com/sap/support/notes/1952092>: IDES
    ECC has a Remote Command Execution vulnerability (CVSS Base Score:
    6.0). An attacker can use Remote Command Execution to run commands
    remotely without authorization. Executed commands will run with the
    privileges of the service that executes them. An attacker can access
    arbitrary files and directories located in an SAP server filesystem,
    including application source code, configuration, and critical
    system files. It allows obtaining critical technical and
    business-related information stored in the vulnerable SAP system. It
    is recommended to install this SAP Security Note to prevent risks.


  * 1971516 <https://service.sap.com/sap/support/notes/1971516>: SAP
    SERVICE DATA DOWNLOAD has a Remote command execution vulnerability
    (CVSS Base Score: 6.0). An attacker can use Remote Command Execution
    to run commands remotely without authorization. Executed commands
    will run with the privileges of the service that executes them. An
    attacker can access arbitrary files and directories located in an
    SAP server filesystem, including application source code,
    configuration, and critical system files. It allows obtaining
    critical technical and business-related information stored in the
    vulnerable SAP system. It is recommended to install this SAP
    Security Note to prevent risks.


  * 2183624 <https://service.sap.com/sap/support/notes/2183624>: SAP
    HANA database has an Information Disclosure vulnerability. An
    attacker can use Information Disclosure for revealing additional
    information (system data, debugging information, etc.) which will
    help to learn more about the system and to plan other attacks. It is
    recommended to install this SAP Security Note to prevent risks.



It is highly recommended to patch all those SAP vulnerabilities to 
prevent business risks affecting your SAP systems.


SAP has traditionally thanked the security researchers from ERPScan for 
found vulnerabilities on their acknowledgment page 
<http://scn.sap.com/docs/DOC-8218>.