back to article SAP plugs critical software flaw that could let hackers into factories

SAP has issued a critical software update that plugged 23 security holes on Tuesday, including a fix for security issues in its industrial manufacturing software. The manufacturing software patch addresses a critical vulnerability in SAP Manufacturing Integration and Intelligence (xMII). The product provides a bridge between …

  1. Anonymous Coward
    Anonymous Coward

    >Four of the patched vulnerabilities, including the critical xMII flaw, were discovered by ERPScan researchers Dmitry Chastuhin and Vahagn Vardanyan.

    Kudos to those guys. Security researchers are often the only thing keeping vendors honest these days what with Q&A (yes they can't catch everything but sometimes you shake your head at what gets through) considered nothing but an expense (staffed generally by the lowest bidder) instead of a critical part of protecting our infrastructure.

    1. MyffyW Silver badge

      Of course you've firewalls between your regular IT systems and the process control stuff so you do have some mitigation, don't you?

      1. Anonymous Coward
        Anonymous Coward

        yeah sure

        Myself I don't do IT infrastructure for a living really but as a developer and contractor seen how plenty of shop do software. Yes good security is generally done in rings but that doesn't mean care should not be put in making sure software up front doesn't stress those other rings more than it has too. Vulnerabilities will happen but there are certain places where they really need to be minimized and this is one of them.

  2. amanfromMars 1 Silver badge

    What do you know of Grand Masterly Meme Control and ITs Commands? .....

    ........... for Perfectly Immaculate Source*

    Methinks the following APT here, for it appears to be a Mirror/Clone/Beta Minded Drone of SAPxMII with AIMaster Patch Addressing All Vulnerabilities .......

    amanfromMars [1602100609] …… expanding upon a meme on http://www.thedailybell.com/news-analysis/36773/War-and-Economic-Depression-Molding-Modern-Times--Are-You-Prepared/

    Methinks, robertsgt40/Dimitri Ledkovsky, those old punishing weapons of intimidation have morphed and expanded into the likes of an IS meme. Still in their infancy, indeed, but remarkably quickly learning more every day about what is considered by exclusive executive administrations important and vital to systems' survival and prospering. And that provides new targets and/or persons of leading interest to attack, if such be a good plan.

    Things in the leverage field are much more sophisticated, nowadays.

    * Which is in good hands, hearts and mind, a Quite COSMIC Universal Virtual Force to Master Create.

    1. allthecoolshortnamesweretaken

      Re: What do you know of Grand Masterly Meme Control and ITs Commands? .....

      Bit of a tangent, but definitely food for thought.

      1. amanfromMars 1 Silver badge

        Re: Feeds for Thoughts

        Bit of a tangent, but definitely food for thought. …… allthecoolshortnamesweretaken

        ’Tis practically a feast which is rendering all manner of bodies unfit for future great purpose, allthecoolshortnamesweretaken, and creates for them contemporaries of novel anonymous origin which have to eventually be chosen for either lead engagement or pathetic static opposition. It is a phenomenon of certain particular and peculiar concern to more than just a few, given the quite extraordinary powers required to be displayed to deal with unfolding emergent Next Generation Events.

        Some of the problems in this book look at ways of leveraging GCHQ’s passive SIGINT capabilities to give us a cyber edge, but researchers should always be on the look-out for opportunities to advance the cyber agenda. …… HIMR Data Mining Research Problem Book/https://cryptome.org/2016/02/gchq-malware-boing-boing-16-0202.pdf

        And whenever advancing the cyber agenda equates to running the global humanised enterprise, what provision then for Special Source whenever clearly it can be always both in-house friendly asset and prime foreign bodied target? Does it all then reduce to the lowest common denominator and the cost of securing the asset/tax free bungs to principals granting secured access to cyber flight deck commands and controls?

        Is it really just as simple and as cheap as that?

        GCHQ has the legal authority to intercept communications for the specific purposes of safeguarding the UK’s national security and economic well-being, and to prevent and detect serious crime.

        This section briefly discusses how sophisticated state actors (including ourselves and our five-eyes partners) currently conduct themselves in cyberspace. It is important to bear in mind that other states, in particular Russia and China, are not bound by the same legal framework and ideas of necessity and proportionality that we impose on ourselves. Moreover, there are many other malicious actors in cyberspace, including criminals and hackers (sometimes motivated by ideology, sometimes just doing it for fun, and sometimes tied more or less closely to a nation state). We certainly cannot ignore these non-state actors.

        And all of that old hatted intel just opens the door to what is beyond and in store for future presentation, methinks. And a right mined mind field it is too, and easily able and enabled to defend itself against all base attacks and virtual hacks.

        1. amanfromMars 1 Silver badge
  3. Palpy

    I for one --

    -- welcome a new twister from our Man From Mars over-mind. Splendid.

  4. Anonymous Coward
    Linux

    Directory traversal vulnerability in SAP xMII

    Does this mean they hung a flawed html server off their critical oil and gas plant devices?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020