Analyzing SAP Security Notes April 2014 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it's highly recommended to carry out periodic assessments on a monthly basis at least. At Onapsis we are very concerned about our client's SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization. This month 23 Security Notes were
- 1778940 by Nahuel D. Sánchez
- 1974016 by Nahuel D. Sánchez
- 1993349 by Will Vandevanter
- 1929473 by Sergio Abraham
We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.
SAP Security Notes with higher CVSS score The highest CVSS score this month was 6.0, which was assigned to five Notes. Of these five notes, there are two which are highly important to be applied, as they could lead to arbitrary ABAP code execution in the applicable SAP system:
- 1985100; with a CVSS score of 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P). Applying this Note will fix a vulnerable Report. This will prevent the execution of arbitrary ABAP code in the target system.
- 1971516; with a CVSS score of 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P). There was a command injection vulnerability found in the ST-PI component. This Note fixes the corresponding RFC functions preventing them from being exploited.
The next three Notes with CVSS of 6.0 were:
- 1983739 (AV:N/AC:M/AU:S/C:P/I:P/A:P). This Note fixes hardcoded user credentials in Financial modules.
- 1929473 (AV:N/AC:M/AU:S/C:P/I:P/A:P). This Note fixes hardcoded user credentials in certain classes.
- 1987413 (AV:N/AC:M/AU:S/C:P/I:P/A:P). Applying this Note will prevent an authenticated user from using functions of user management to whom access should be restricted.
SAP HANA Vulnerability SAP HANA, short for “High-Performance Analytic Appliance” is an in-memory, column-oriented, high-performance relational database management system developed by SAP AG. This month, SAP released one security note for HANA based on a vulnerability discovered and reported by Onapsis:
- SAP Security Note 1993349 fixes one of the latest product releases of SAP; SAP HANA. There was an unauthenticated exploitable vulnerability which could lead to reflected XSS attacks in HANA Administration Tool.
Additional Technical Information SQL Injection attacks [1772839, 1583685] These attacks use code injection techniques to compromise data driven applications. The technique consists of inserting malicious SQL statements in certain fields to access and compromise a database. Example of an affected ABAP Report is: LSZRSF03. Arbitrary code execution attack  A code execution attack is used to describe the ability of an attacker to execute any command on the target machine or system. This type of vulnerability was found in SAP's Web Intelligence Rich Client module. Path Traversal attack to SWIFT adapter  The component SWIFT File Adapter had a vulnerability in which an attacker could potentially write arbitrary files on the remote system, which could lead to data corruption or even altering the behavior of the remote server. Operating System code injection vulnerability  Exploiting this type of vulnerability gives the attacker the possibility to control the system or escalate privileges by the execution of shell commands. The Note fixes the vulnerability in certain ABAP and RFC functions. Other attack vectors remediated
- Missing authorization checks [1974016, 1073396, 1955908]
- Update to Security Notes [1590834, 2000095, 1990096]
- Potential disclosure of information [1986895, 1974046]
- Security improvements for Certificate handling, and CSRF prevention [1975842, 2001778]
- HTTP Verb Tampering 
- Note related to the Security Audit Log 
The analysis of the notes was performed by Nahuel Sánchez and Emiliano Fausto. Each month Onapsis updates our flagship product Onapsis X1 to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as configured with an appropriate level of security. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.