SAP patches critical security flaws

SAP has patched highly critical security flaws in EnjoySAP and SAP Web Application Server, as well as moderate vulnerabilities in its SAP Message Server, according to security advisories issued Friday by Mark Litchfield of Next Generation Security Software.

Security flaws in EnjoySAP were found due to ActiveX controls "kweditcontrol.kwedit.1" and "preparetopostHTML," which could allow a buffer overflow attack and remote access to users' systems, according to Litchfield, who discovered the flaws.

EnjoySAP is one of the more popular SAP GUIs, noted Litchfield in his advisory, which stated all platforms are affected.

SAP Web Application Server's Internet Communication Manager running on Windows was also found to have highly critical security flaws, according to the advisory. The ICM allows communication between the SAP Web Application Server and HTTP, HTTPS and SMTP protocols.

But an error in the Internet Communication Manager's ICMAN.exe component can be exploited, leading to a denial-of-service attack.

"This is a very effective denial-of-service attack within a SAP environment," Litchfield stated in his advisory.

A more moderate security flaw was found in SAP Message Server running on all platforms, which can be exploited when a boundary error occurs during processing of HTTP requests. That can lead to a buffer overflow attack and remote execution of arbitrary code, according to NGSS' advisory.