Researchers discovered a series of vulnerabilities affecting the archive program SAPCAR used to compress and decompress software and files. And SAP released patches for them on Tuesday.
Core Security researchers found memory corruption flaws (CVE-2015-2282, CVE-2015-2278) in the compression libraries in the SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products. According to a Core Security advisory, the compression algorithms are used across several SAP products and the vulnerabilities in the decompression routines could lead to execution of arbitrary code and denial of service conditions.
The firm also discovered locally exploitable denial of service and security bypass vulnerabilities (CVE-2016-5845, CVE-2016-5847). One of the flaws relates to not authenticating file operations return values when extracting files. The other vulnerability could be exploited by an attacker to change the permissions settings of a user's arbitrary files. The flaws were discovered by security consultant Martin Gallo.
Core Security senior security researcher Joaquín Rodríguez Varela noted in an email to SCMagazine.com that exploitation of the CVE-2016-5845 and CVE-2016-5847 vulnerabilities requires previous access to the system. “Taking that into consideration plus the fact that SAP already patched the issues lead us to believe that these vulnerabilities will not lead to widespread attacks,” he wrote.
SAP noted that the “SAP Product Security Response Team collaborates frequently with research companies like Core Security to ensure” that vulnerabilities are responsibly disclosed. “Security patches are available for download on the SAP Service Marketplace,” the company said in a statement. “We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.”A report published earlier this month by ERPScan identified almost 36,000 SAP systems as potentially vulnerable to cyberattacks. Sixty-nine percent of the services should not be exposed directly to the Internet, the report concluded.