One year of SAP vulnerabilities

Yvan Genuer Sécurité SAP

Version Française

dev-light.png

Quick review

This 13 December was the last ‘SAP Security Tuesday patch’ of the year. Now it is possible to make some reviews and comments about vulnerabilities patched by SAP during 2016.

As usual SAP cover a large panel of type of vulnerabilities again : missing authorization check, information disclosure, clickjacking, XSS, XEE, CSRF, XSRF, SSRF, SQL injection, code injection, OS injection, directory traversal, deny of service, deserialization, etc. For a total of 315 security notes published this year, almost identical as 2015, and on the same line of these 4 lasts years :

However, is remarkable than the numbers of high priority patchs are lowering :

with 1.2% of zero days found by devoteam 😉

Despite the total number of security notes is stable, the criticality of vulnerabilities discovered declines. This doesn’t mean that is low… because with an average of 6 to 7 high priority patches by months, it continues to be a lot and significant.

The security notes distributions for 2016 has changed :

As seen, over two-thirds of SAP vulnerabilities are ‘medium’. The majority of these notes, like 2015 and 2014, are ‘missing authorization check’ type, 60 notes. But they are some notes that we could considered as implementation flow or consulting type : like notes about the ‘white list RFC’, 22 notes, and the ‘Switchable authorization check’, 25 notes.

This kind of notes doesn’t correct a bug in  programs, but provides new features or practices to secure a flow or a specific component of SAP system.

Finally, it’s important to take into account that this numbers concerns all solutions provided by SAP. Below an extract of security notes by component :

One-third of SAP Security notes are potentially in SAP Basis component. The rest depends on which solutions and which additional components companies have installed in their SAP landscape.

dev-target.png

Conclusion

  • SAP provides more and more tools and standard features to increase the security of their SAP products.
  • The total of critical vulnerabilities constantly decreases since 5 years now (658 for 2011, 83 for 2016).
  • Even if the SAP security notes numbers are still high, SAP pursued his efforts to secure their systems, as complex as they are. Now good to see if companies will follow these efforts ?