Two critical SAP NetWeaver vulnerabilities identified by analysts from security researcher ERPScan have been closed with off-schedule patches released by SAP.
ERPScan director of SAP cyber security services Dimitry Chastuhin delivered a presentation at the Troopers Security conference this week in Heidelberg, Germany, which revealed how typical low-severity vulnerabilities in the SAP NetWeaver application platform can be exploited together to gain full administrative access to the system.
“Usually, as companies have to deal with hundreds and even thousands of SAP vulnerabilities, they try to prioritise them by CVSS base score or other similar metrics not taking into account different details such as other vulnerabilities which could increase the risks. With this presentation, we want to demonstrate that quite often even typical vulnerabilities can have a high-risk impact when combined together,” said Chastuhin.
Chastuhin showed how he managed to get full control on an SAP system by using one configuration mistake, two common denial of service vulnerabilities, and some “race condition magic”.
SAP released the off-schedule patches on the same day as the conference.
These patches were in addition to SAP’s March patch update, which provided 28 patches to close vulnerabilities in SAP products – three of which carried a high priority rating and two which carried a ‘Hot News’ rating.