Analyzing SAP Security Notes June 2014 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least. At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization. This month 21 SAP Security Notes were published by SAP (3 Support Packages and 18 Patch Day Notes). Of the ten notes reported by external researchers, Onapsis Research Labs reported six (from those notes, the 2001106 involved a remote unauthenticated Denial of Service which affects SAP Business Objects, and 2015446 a Code Injection vulnerability in SAP HANA Web Development Workbench, both discovered by Will Vandevanter).
- 2001106 by Will Vandevanter
- 2001109 by Will Vandevanter
- 2015446 by Will Vandevanter
- 1998990 by Will Vandevanter
- 1941562 by Will Vandevanter
- 1967780 by Nahuel D. Sánchez
We have generated a plot graph illustrating the distribution of CVSS scores across the 21 Security Notes released in June. 14 out of the 21 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 3.5 to 7.5 with a median of 4.65.
Hot News from SAP
There was a Hot News note related to the Heartbleed bug, specifically for a vulnerability in SAP Document Presentment by OpenText v5.6 and v5.6.1 (in conjunction with implementations using OpenSSL).
SAP Security Notes with high CVSS scores
- 2007530: 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P). Addresses an invalid user authentication in Unix SAP Content Server when enabling UNIX operating systems to use shadow passwords.
- 2001106: 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Fixes a critical vulnerability which could allow an attacker to remotely exploit BI-BIP causing a denial of service via an authenticated connection.
- 1962860: 6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P). Prevents attackers from executing functions in BPC 7.5 without authentication and authorization.
- 2015446: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P). Prevents unauthorized use of application functions in SAP HANA Web-based Development Workbench via code injection.
- 2006974: Although it doesn't have a CVSS score calculated by SAP, this note is important because it fixes a code injection vulnerability, which could permit the attacker to execute arbitrary program code.
The next three notes with CVSS 5.0 were:
- 1908531: (AV:N/AC:L/AU:N/C:P/I:N/A:N). Addresses a vulnerability that allowed untrusted XML input parsing through the SBOP Explorer .
- 2001109: (AV:N/AC:L/AU:N/C:P/I:N/A:N). Fixes a potential information disclosure vulnerability relating to SAP Business Intelligence module.
- 2007526: (AV:N/AC:L/AU:N/C:P/I:N/A:N). Potential information disclosure vulnerability relating to SAP Content Server.
Other attack vectors
- SQL Injection in HANA: Note 2014881
- Missing authority checks: Note 1967780
- Cross Site Scripting (XSS):
- Unauthenticated: Notes 1881073, 1674849, 1981048 and 1971270
- Authenticated: Notes 1941562 and 1943208
- Information disclosure: Notes 1998990 and 2028012
Each month Onapsis updates our flagship product Onapsis X1 to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as ensuring those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.