Analyzing SAP Security Notes April 2015 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least. At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
Between the last published SAP Security Tuesday and today, there were 15 SAP Security notes published by SAP AG (taking into account 6 Support Packages and 9 Patch Day Notes). There were just three external security researchers mentioned this month. Two of them, Nahuel Sánchez and Fernando Russ, are from the Onapsis Research Labs. Together, they work with the rest of the Research team and SAP AG to help make SAP software more secure. The plot graph illustrates the distribution of CVSS scores across the released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (5 out of the 15 SAP Security Notes). As it's represented in the graph, the SAP Security Notes range values go from 3.6 to 5.8 with a median of 4.3.
Hot News from SAP There were not Hot News items published by SAP AG this month. SAP Security Notes with higher CVSS score provided by SAP
- 2067830; 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P). This note fixes a vulnerability in the Web Dynpro Java component, which could allow an attacker to upload a malicious file to the system if the virus scanner isn't properly configured.
- 2094830; 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N). This note addresses a vulnerability in the component: Sybase Unwired Platform Online Data Proxy. An attacker may discover the username and backend password using the DataVault.
Other corrections with High Priority (no CVSS provided by SAP)
- 2097534; This note prevents the execution of arbitrary program code of the user's choice by fixing a vulnerability in the component CRM-BF-BRF Business Rules Framework. Abusing this vulnerability, an attacker may take full control of the SAP System. Besides, this note fixes a SQL Injection vulnerability, which could permit a malicious user to get information persisted in the system.
- 2152703; Sybase SQL Anywhere has been fixed to prevent exploitation of FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204). Abusing this weakness, an attacker may decrypt secure communications between vulnerable clients and servers.
Other attack vectors
- Missing authority checks: Notes 2137898, 2125925
- Reflected cross-site scripting (XSS): Notes 1994667
- SQL Injection (SQLi): Notes 2148406, 2147745, 2141994
- Information disclosure: Note 2084037, 1979543, 1849892
- Memory corruption in HANA client: Note 2140700
- Password hash algorithm in UME: Note 2003727
Each month Onapsis updates our solutions to allow you to check if your systems are up to date with the latest SAP Security Notes, and to help you ensure that your systems are configured properly in order to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs. If you aren’t already doing so, be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.