Patch Tuesday meets March Madness
Nine security updates released by enterprise software giant SAP on Tuesday (March 9) include fixes for two newly discovered and critical vulnerabilities.
A critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII) – tracked as CVE-2021-21480 – earns a near-maximum severity CVSS score of 9.9.
SAP MII allows users to create dashboards and save them as JSP (Jakarta Server Pages).
This opens the door to all manner of further attacks, as a bulletin from US National Vulnerability Database’s CVE List explains:
When this dashboard is opened by Users having at least SAP_XMII_Developer role, malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation.
The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files in the server, modify files or even delete contents in the server, thus compromising the confidentiality, integrity, and availability of the server hosting the SAP MII application.
A missing authorization check in SAP NetWeaver AS JAVA (MigrationService) – tracked as CVE-2021-21481 – earns a similarly critical rating of 9.6.
The security flaw creates a means for remote attackers to take full control of vulnerable systems.
“The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization check,” a CVE List notice explains. “This might allow an unauthorized attacker to access configuration objects, including such that grant administrative privileges.”
“This could result in complete compromise of system confidentiality, integrity, and availability,” the note adds.
HANA auth bypass
A high risk potential authentication bypass in SAP HANA LDAP (CVE-2021-21484) is the most noteworthy among the rest of the batch.
The SAP HANA database vulnerability means that “LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind”.
Other updates release on Tuesday (March 9) cover less severe flaws in SAP’s enterprise software packages, alongside updates on security notes to three previously addressed vulnerabilities from 2020 and one from 2018.
An overview of the patches it released on Tuesday from SAP can be found in a post on the vendor’s wiki.
Edge of darkness
Earlier this month, Microsoft released out-of-band updates for Exchange Server in response to active attacks that had already compromised an estimated 30,000 mail servers.
Redmond followed up on Tuesday with updates for older, no longer supported versions of Microsoft Exchange.
Microsoft also took the opportunity to release updates for its obsolete Internet Explorer browser for similar reasons.
Adam Bunn, lead software engineer of Rapid7, the firm behind the Metasploit penetration testing tool, commented: “Since going end-of-life in November 2020, we haven’t seen any Internet Explorer patches from Microsoft.
“However, this month Microsoft has made two new updates available: CVE-2021-27085 and CVE-2021-26411. CVE-2021-26411 has been exploited in the wild, so don’t delay applying patches if IE is still in your environment.”
The CVE-2021-26411 vulnerability – which creates a remote code execution (RCE) risk – also affects Microsoft Edge on multiple versions of Windows, prompting the release of updates to Microsoft’s latest browser software.
Exploit scenarios for both IE and Edge include tricking an intended victim into visiting a maliciously constructed website.
YOU MIGHT ALSO LIKE Git vulnerability could enable remote code execution during clone process