Vulnerabilities in the SAP NetWeaver platform open the door for attackers to intercept login credentials, register keystrokes, spoof data or perform other illegal activities that could potentially lead to a system compromise.
Positive Technologies has detected the flaws, present in the SAP Enterprise Portal Navigation, SAP Enterprise Portal Theme Editor and the SAP NetWeaver Log Viewer components of the platform.
"Large companies all over the world use SAP to manage financial flows, product lifecycle, relationships with vendors and clients, company resources, procurement and other critical business processes,” said Dmitry Gutsko, head of the Business System Security Unit at Positive Technologies. “It is vital to protect the information stored in SAP systems, as any breach of confidential information could have a devastating impact on the business."
Four cross-site scripting (XSS) vulnerabilities were detected in the SAP Enterprise Portal Navigation (CVSSv3 score 6.1) and SAP Enterprise Portal Theme Editor (three flaws with CVSSv3 scores 5.4, 6.1, and 6.1). Exploiting these vulnerabilities, an attacker could obtain access to a victim's session tokens, login credentials or other sensitive information in the browser, perform arbitrary actions on the victim's behalf, rewrite HTML page content and intercept keystrokes.
Another vulnerability—Directory Traversal—allows arbitrary file upload in the SAP NetWeaver Log Viewer. This allows attackers to upload files to an arbitrary place on the server file system. The consequences can include total compromise of a system, overload of a file system or database, expanding attacks to back-end systems and defacement.
Remediation guidelines can be found in SAP Security notes No. 2369469, 2372183, 2372204, and 2377626.
“SAP collaborates frequently with research companies such as Positive Technologies to ensure a responsible disclosure of vulnerabilities," the company said via email. "The vulnerabilities in question have been fixed by SAP and the patches have been made available in for download. For details please visit the SAP Product Security Response page."
It added, "Our recommendation to all our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks.”