SAP on Tuesday released a dozen security notes after developing patches for 23 vulnerabilities, including a high-priority flaw in its Point of Sale (POS) Retail Xpress Server that could expose the server to attackers to gain access to SAP POS, the company’s client/server solution.
Two of those issues are updates to previously published security notes by the company. The remaining issue, a denial of service vulnerability, affects SAP Host Agent, a tool that allows users to monitor SAP instances, databases and operating systems.
The issues in SAP POS, a series of missing authorization checks, could let an attacker access a service without authorization, according to ERPScan, a firm that specializes in SAP and Oracle security. The solution runs parallel to the company’s retail solution portfolio and is used by 80 percent of retailers in Forbes Global 2000, according to ERPScan. The vulnerabilities, which technically exist in the SAP solution’s Retail Xpress Server "can lead to an information disclosure, privilege escalation, and other attacks," according to a blog post from ERPScan, whose researchers Dmitry Chastuhin, Mathieu Geli, and Vladimir Egorov discovered the high-severity POS vulnerability. The vulnerability was dug deep into the Amsterdam-based firm, in a presentation at Hack in the Box Singapore in August.
If exploited, an attacker could read, write, or delete files stored on the server, shut down the application, or monitor content from the receipt window of a targeted PoS system without authentication.
"This note concerns a complex attack at its core. However, a smart attacker can operate silently and independently... putting the confidentiality, availability and integrity of your data at the highest risk," commented Onapsis.
"If other scheduled jobs need these web services for regular processes, those jobs will subsequently fail. Depending on your business architecture, this could lead to more critical availability or performance issues on the system," warned Onapsis.