On the 10th of March 2020, SAP Security Patch Day saw the release of 18 Security Notes.
Notes by severity
|Correction with high priority||4|
|Correction with medium priority||9|
|Correction with low priority||1|
On March Patch Day SAP presents 8 high-severity Notes with 4 of them rated as HotNews.
We will start our digest today from Security Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10. Chromium systems update was proved to be essential due to their complexity and high possibility of becoming the target for a potential attack.
There is another Note with the highest CVSS Score possible – Security Note 2890213 – Missing Authentication Check in SAP Solution Manager – with a CVSS Score of 10. Due to the lack of performing any authentication for a service resulting in the complete compromise of all SMDAgents connected to the Solution Manager, the risk of systems integrity compromise is stated to be a severe threat.
The more specific Note of SAP Solution Manager security was dedicated to Diagnostics Agent. The Security Note 2845377 – Missing Authentication check in SAP Solution Manager (Diagnostics Agent) – with a CVSS Score of 9.8. Diagnostics Agent allows P4 connections from unauthenticated sources to an insecure Server port. This allows an attacker to control all remote functions on the Agent, as a result, sensitive data could be accessed and modified.