fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

SAP Updates Security Note For Critical RECON Vulnerability

SAP Updates Security Note For Critical RECON Vulnerability

SAP today released its security patches for August, alerting of new critical and high-severity vulnerabilities in several of its products, mostly NetWeaver Application Server (AS).

The full list includes 16 advisories, almost half of them being for bugs that SAP customers should prioritize patching.

New issue added to RECON advisory

SAP has also updated its security note for the maximum severity RECON vulnerability with a related bug that could enable an unauthenticated attacker to access various folders in the directory structure.

The developer also updated the July 2020 Patch Day security note for RECON, a critical issue disclosed by researchers at cybersecurity firm Onapsis, who said that it impacted more than 40,000 SAP customers.

Two days after disclosure, proof-of-concept  exploit code emerged and researchers recorded active scans for devices vulnerable to RECON.

The new CVE for this advisory is CVE-2020-6286, which affects the LM configuration wizard in SAP NetWeaver AS Java. It stems from insufficient input path validation of a specific parameter in the web service of the product.

While its severity score is medium (5.3/10), exploiting it does not require authentication and can enable an attacker to hop to other folders after downloading archive files (ZIP) to a specific directory.

Also read: Privacy policy template important tips for your business

Seven high-risk issues, one critical

However, the most important flaw in the list is a cross-site scripting (XSS) issue in the Knowledge Management component of NetWeaver AS, which received the identification number CVE-2020-6284 and has a critical severity score of 9/10. The same component received a fix for allowing unrestricted file upload (CVE-2020-6293).

A missing authentication check has been fixed in SAP’s business intelligence platform BusinessObjects. Tracked as CVE-2020-6294, the bug has a high-severity rating of 8.5 and affects versions 4.2 and 4.3.

In SAP Business Services (Generic Market Data), the developer addressed an issue now known as CVE-2020-6298 and with a slightly lower score, 8.3, referring to missing authorization.

Several versions of NetWeaver (ABAP Server) and ABAP Platform have a code injection vulnerability (CVE-2020-6296) rated with a severity impact of 8.3.

SAP provides patches for another missing authentication check (CVE-2020-6309) discovered in various components of NetWeaver AS Java (EngineAPI, WSRM, ServerCore, and J2EE-FRMW).

Last on the list of more noteworthy updates is an information disclosure (CVE-2020-6295) in SAP Adaptive Server Enterprise version 16.0, with a calculated severity score of 7.

Details for these bugs are still under wraps but SAP customers can learn the particularities by logging into their SAP ONE support launchpad account.

A summary of all the vulnerabilities addressed in today’s security updates from SAP is available here.

Also read: 12 brief explanation about the benefits of data protection for business success

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us