SAP’s security patch day for November 2021 has seen the release of 7 new OSS SAP security notes. No notes have been classified as low, 4 notes have been classified as medium, 2 as high, and 1 as critical, based on CVSS v3.0 Rating.
Single notes have been released for SAP ERP Financial Accounting, SAP GUI for Windows, ABAP Platform Kernel, CA Introscope Enterprise Manager, SAP NetWeaver AS ABAP, SAP Commerce and SAP ERP HCM
Vulnerabilities: November 2021 Highlights
[CVE-2021-40503] Information Disclosure in SAP GUI for Windows (SAP Note 3080106)
An information disclosure vulnerability exists in SAP GUI for Windows, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked the attacker would be able to log on to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user.
[CVE-2021-40501] Missing Authorization check in ABAP Platform Kernel (SAP Note 3099776)
ABAP Platform Kernel does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user can read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.
[CVE-2021-40504] Leverage of Permission in SAP NetWeaver Application Server for ABAP and ABAP Platform (SAP Note 3105728)
The template role SAP_BC_DWB_WBDISPLAY in SAP NetWeaver Application Server for ABAP and ABAP Platform contains transport authorizations, which exceed expected display only permissions.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
