SAP has issued a critical software update that plugged 23 security holes on Tuesday, including a fix for security issues in its industrial manufacturing software.

The manufacturing software patch addresses a critical vulnerability in SAP Manufacturing Integration and Intelligence (xMII).

The product provides a bridge between ERP (Enterprise Resource Planning) and other enterprise applications with plant floor and OT (Operational Technology) devices. The technology is widely used in manufacturing as well as the oil and gas exploration business and energy utilities.

Left unresolved, the directory traversal vulnerability in SAP xMII would create a potential means for hackers to penetrate into plant floor and OT networks where ICS (industrial control systems) and SCADA systems are located.

A skilled attacker might harness the directory traversal flaw to access files and directories located in an SAP server filesystem, including application source code, configuration and system files.

“Any vulnerability affecting SAP MII can be used as a starting point of multi-stage attacks aiming to get control over plant devices and manufacturing systems,” said Polyakov Alexander, CTO at SAP and Oracle security specialists ERPScan, told El Reg. “Similar attack scenarios were presented by us at the BlackHat conference but for the oil and gas [industry] in particular.”

ERPScan’s analysis of SAP’s patch batch can be found here. SAP’s own summary of its Febuary patch update is here.

Most of the patched vulnerabilities reside in SAP NetWeaver's J2EE application security. The most common vulnerability type is Cross Site Scripting and missing authorisation check. Four of the patched vulnerabilities, including the critical xMII flaw, were discovered by ERPScan researchers Dmitry Chastuhin and Vahagn Vardanyan. ®