Analyzing SAP Security Notes August 2015 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.
At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
Between the last published SAP Security Tuesday and today, there were 40 SAP Security notes published by SAP AG (taking into account 14 Support Packages and 26 Patch Day Notes). Onapsis Research Labs reported the following SAP Security Notes:
2175928 - Potential remote termination of running processes in SAP HANA text engine. Reported by Nahuel D. Sánchez.
2165583 - SAP HANA secure configuration of internal communication. Reported by Juan Perez-Etchegoyen, Nahuel D. Sánchez and Sergio Abraham.
2176128 - Potential information disclosure relating to server information. Reported by Fernando Russ, Nahuel D. Sánchez and Pablo Artuso.
2148905 - Potential information disclosure relating to passwords in SAP Web Dispatcher trace files. Reported by Juan Perez-Etchegoyen and Sergio Abraham.
2125623 - Potential remote termination of running processes in BC-CCM-SLD-REG. Reported by Nahuel D. Sánchez.
The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account to build it, were the ones to which SAP set a CVSS (22 out of the 40 SAP Security Notes). As it's represented in the graph, the SAP Security Notes range values go from 1.5 to 8.5 with a median of 4.3.
Hot News from SAP
There were not any ‘hot news’ items this month.
SAP Security Notes with higher CVSS score provided by SAP
- 2037304 - 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) - Lacks proper input validation in SDCC Download Function Module. The note fixes a function in the Service Data Control Center (SDCCN), which is not checking properly the input parameters.
- 2169391 - 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) - Reflected File Download vulnerability in AFPServlet. The note prevents a Reflected File Download vulnerability which was present in the Ajax Framework Page Navigation Servlet.
- 2175928 - 6.8 (AV:N/AC:L/Au:S/C:N/I:N/A:C) - Potential remote termination of running processes in SAP HANA text engine. This note prevents a buffer overflow vulnerability in the text engine. The process could write out of its memory bounds, provoking a memory protection fail in the system, thus making the operating system to end this process (index server) in SAP HANA.
- 2165583 - 6.6 (AV:N/AC:H/Au:N/C:P/I:P/A:C) - SAP HANA secure configuration of internal communication. This note links to official documentation of SAP HANA, which indicates how to properly configure the system, so that, it can't be accessed without proper authentication.
- 2182488 - 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) - Open source vulnerabilities Axis 1.x in SAP EPC 2.0. The security bug CVE-2012-5784, which is present in the Apache Axis Version 1.2.1 library is affecting the SAP Enterprise Project Connection 2.0 (EPC), as this last product uses the Apache library.
Other corrections with High Priority (no CVSS provided by SAP)
- 2182768; Too Many http Services Are Activated. The note changes the default behavior of APIs for Internet Communication Framework, used to activate services. By default, it had a lax pattern matching, which could result in too many services activated (some of these services could be public, thus no authentication were required to consume them).
- 2077857; Potential disclosure of persisted data in SD-BIL. This note prevents a SQL Injection vulnerability present in the Billing component, with which an attacker could retrieve information from the database.
- 1973081; XSRF vulnerability: External start of transactions with OKCode. This note prevents a Cross-site request forgery (XSRF) vulnerability, which could be triggered by inducing the victim to execute a SAP GUI shortcut in Windows, or a Java start transaction (SAP GUI for JAVA) or to click a link in SAP GUI for HTML. These actions, can execute a change in the system with the credentials of the victim.
Other attack vectors
- Cross-site Scripting (XXS)
- Reflected: Notes 2175991, 2090013, 2032811, 2201881, 1694057, 2173184
- Stored: Notes 2182154, 2152669
- Missing authority checks: Notes 2104357, 1830797
- Information disclosure: Notes 2176128, 2192982, 2157458, 2093939, 2185409, 2148905, 2180403, 2182842
- Hard-coded credentials: Note 2114025
- Denial of Service (DoS): Notes 2187823, 2193318, 2125623, 1955742
- Directory Traversal: Note 2091403
- Reflected File Download: Note 2174357
- SQL Injection (SQI): Note 1791940
- XML External Entity (XXE): Notes 2152227, 2168485
From this month on, SAP will publish a monthly post in their SCN space “The Official SAP Product Security Response Space”, providing information about the SAP Security Notes.The first post is called: “SAP Security Patch Day - August 2015”; and it has information about the latest SAP Security Notes released by SAP. The data included in the blog provides a graphical representation of the “type of vulnerabilities” that were fixed (i.e.: Cross-site scripting, Information disclosure, Memory corruption) and also the number of SAP Security Notes, by priority during the last six months.
Each month Onapsis updates our solutions to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as ensuring those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs. If you aren’t already doing so, be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.