Darknet

SAP Fixes Critical Security Flaw in Manufacturing Software

Recently, SAP has fixed a very critical security flaw in its manufacturing software, this critical-bug fix was a spring of 18 security patches that were released by SAP.

These patches were addressing all new vulnerabilities and modernizing all the previously released patches. But, there are two most critical fixes, that are recently published as part of the security update.

These security updates combined the vulnerability in SAP’s Manufacturing Integration and Intelligence (MII) application for synchronizing each manufacturing operation. Not only this but there is one in SAP’s NetWeaver AS Java software heap.

SAP Manufacturing Intelligence and Integrations (SAP MII)

The Onapsis Research Labs contributed themselves to fixing this patch day’s most significant vulnerability. SAP MII is an SAP NetWeaver AS Java-based platform which allows real-time composition that monitors and contributes extensive data analysis tools.

CVE-2021-21480 is quite sophisticated, in this the SAP MII, that enables users to formulate dashboards and conserve them as JSP through the SSCE. In this CVE the attacker can block a request to the server, and insert all malicious JSP code in the request and forward it to the server.

The malicious content in the dashboard gets administered, once the dashboard is launched by the users possessing at least SAP_XMII_Developer role.

This dashboard leads to remote code execution in the server and allows all privilege escalation. This malicious JSP code can accommodate all certain OS commands.

These commands help the attacker to address all kinds of sensitive files in the server, and it adjusts the files or even destroys all the contents in the server, that’s why it endangers the confidentiality, integrity, and accessibility of the server that hosts the SAP MII application.

SAP NetWeaver AS Java Flaw

SAP NetWeaver AS Java, is quite a serious flaw in its versions 7.10, 7.11, 7.30, 7.31, 7.40, and 7.50, all these are specifically mentioned for MigrationService.

However, its components got affected in this version and thus it lacks authorization checks. This flaw (CVE-2021-21481) achieved a score of 9.6 on the CVSS scale, which makes it critical severity.

SAP NetWeaver AS Java is used privately for migrating all kinds of applications that arise between major releases for the AS Java engine.

More Vulnerabilities Fixed

SAP has already fixed reverse tabnabbing vulnerabilities for another two UI technologies/frameworks. However, it does the same for HTMLB for Java, the main difference is the patches that are available for other UI technologies.

These two patches require an additional fix for SAP NetWeaver AS Java, presented with SAP Security. Along with 18 new and updated SAP Security Notes, now SAP’s March Patch Day is somewhat under the average amount of applications that are released in the first two months of 2021.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Hackers Attacking Web Login Pages of Popular Firewalls for Brute-Force Attacks

In recent weeks, ShadowServer has observed a significant rise in brute-force attacks targeting web login…

2 hours ago

Hackers Leveraging Image & Video Attachments to Deliver Malware

Hackers have increasingly turned to multimedia attachments in recent years, including images and videos, to…

4 hours ago

UK Govt Orders Apple to Create Backdoor Access for Encrypted iCloud Backups

The UK government has reportedly issued a secret order to Apple, compelling the tech giant…

5 hours ago

New Scareware Attack Targeting Mobile Users to Deploy Malicious Antivirus Apps

A recent wave of scareware attacks has been targeting mobile users, aiming to trick them…

5 hours ago

New Attack Technique Uncovered Abusing Kerberos Delegation in Active Directory Networks

A new attack vector exploiting vulnerabilities in Kerberos delegation within Active Directory (AD) networks has…

5 hours ago

New Facebook Fake Copyright Notices Phishing Steals Your FB Credentials

A recent phishing campaign has been targeting Facebook users with fake copyright infringement notices, aiming…

6 hours ago