SAP Security Notes May ‘18: Hidden in Plain Sight
In our end-of-year overview for 2017 we discussed the trend towards stability in SAP security, judged by the total number of monthly published security notes in that period. Year after year we had been seeing a diminishing number of notes, with 2017 ending up having the least number of notes since Onapsis's conception in 2009. This trend is definitely continuing in 2018.
Today, like every second Tuesday of the month, SAP published a new batch of security notes. Nine new notes were published this today, summing up a total of only 16 notes released since the last Patch Day. This is the exact same amount as last month's total. Where, in the past we were used to seeing 25 to 30 notes released monthly, we are surprised to see these low numbers on a recurring basis. We saw no new Hot News or High Priority notes this month. With the exception of a single Low Priority note, all notes are of Medium Priority.
These numbers could indicate a growing maturity in SAP security, something Onapsis has been striving to achieve for years as a pioneer in the field, in close cooperation with SAP. We definitely hope to see this trend continue, although it does motivate our security researchers to dig even deeper to find vulnerabilities.
The graphic below shows this month's distribution of vulnerability types:
The Silent Threat of Insecure Configuration
Although we are happy to see the number of monthly released SAP security notes decline, we feel the need to stress that keeping your systems patched with the latest notes does not implicitly mean you are secure. Not all security threats are introduced by means of programming bugs. Some of them are introduced by not configuring your system in a secure way, or through configuration drift.
This month the Onapsis Research Labs revealed a critical security configuration vulnerability, resulting from a default installation in SAP systems, which could lead to a full system compromise in unprotected environments. If exploited, the vulnerability could affect all SAP Netweaver versions. The threat still exists within the default security settings of every Netweaver based SAP product such as SAP ERP, SAP CRM, S/4 HANA, SAP GRC Process and Access Control, SAP Process Integration/Exchange Infrastructure (PI/XI), SAP Solution Manager, SAP SCM, SAP SRM and others. Onapsis has analyzed hundreds of real SAP customer implementations and found that 9 out of 10 SAP systems were still vulnerable.
The vulnerability is mainly driven by a security configuration originally documented by SAP in 2005, and is still present in the majority of SAP implementations either by neglecting to apply security configurations or due to configuration drifts after the configuration was initially secured. While the patch has been available to SAP customers for quite some time, we understand the complexities organizations face when implementing secure configurations.
Onapsis has prepared a Threat Report to give you all the technical details to secure this vulnerability. Today at 2:00 PM ET we will be presenting a webcast on this topic. If this information is reaching you too late, please keep an eye on our website to view the webcast at a later time.
This Month's Notable Notes
SAP Netweaver SAL Incorrect Logging of Addresses
About two and a half years ago SAP initially published note #2190621, reporting a vulnerability found by Onapsis concerning the incorrect logging of IP addresses in the Security Audit Logging (SAL) function.
In some landscapes in which the SAP system is behind a proxy or a NAT router, the system is logging the original client IP address instead of the NAT-translated IP address. For auditing purposes, however, it is preferred to log the translated router IP, since it is not easily spoofed. Client IP addresses are more easily manipulated, rendering them less reliable for logging from an auditing viewpoint. Furthermore, the upcoming General Data Protection Regulation (GDPR) could even determine client IP addresses to be considered personal data, adding another reason to make this way of logging IP’s undesirable.
This month the original note was re-released with updated CVSS, prerequisite and solution information. We advise you to take another look at this note to confirm that you are are covered.
Vulnerabilities in IGS
Over the course of the past months we have seen SAP publish multiple notes concerning the Internet Graphics Server (IGS). The IGS is an engine used by SAP for generating visual components like graphics or charts. Previously published SAP notes showed that IGS has been exposing a wide variety of bugs: Denial of Service (DoS), Cross-Site Scripting (XSS) and Log Injection attacks, amongst others.
Two notes (#2525222 & #2538829) bundled together more than 15 vulnerabilities, some of which were very severe. These bugs were discovered by security researcher Yvan Genuer, just before he joined the Onapsis Research Labs this month. You can imagine we are happy for him to join our team!
Today SAP published an additional four notes on IGS:
- [CVE-2018-2420] Unrestricted File Upload in SAP Internet Graphics Server (IGS) (#2615635): SAP Internet Graphics Server (IGS) allows an attacker to upload any file (including script files) without proper file format validation
- [CVE-2018-2421] [CVE-2018-2422]: Denial of Service in SAP Internet Graphics Server (IGS) Portwatcher (#2616599 & #2617553): SAP Internet Graphics Server (IGS) allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service
- [CVE-2018-2423] Denial of Service in SAP Internet Graphic Server (IGS) RFC Listener (#2620744): The SAP Internet Graphic Server (IGS) HTTP and RFC listener allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service
As always, we are working on updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements. Please watch our website for additional information on all topics discussed in this blog post.
Last but not least; don't forget the General Data Protection Regulation will be coming into effect on May 25 2018. Good luck and for all questions please feel free to contact us.