Analyzing SAP Security Notes December 2015
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis.
At Onapsis we are very concerned about our client’s SAP system security, as well as the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide testing of these systems within their organization.
From the last published SAP Security Tuesday and today, there were 31 SAP Security notes published by SAP AG (taking into account 5 Support Packages and 26 Patch Day Notes). This particular month, several notes discovered from the Onapsis Research Labs were released, thus the Onapsis security researchers were mentioned in the SAP Acknowledgments to Security Researchers page.
The SAP Security Notes released this month, related to advisories reported by the Onapsis Research Labs were:
- 2234226; 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P). TREX / BWA: Potential technical information disclosure / host OS compromise
- 2067570; 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C). Potential denial of service in BI-BIP
- 2018683; 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N). Potential information disclosure relating to BI-BIP
- 2189178; 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N). Potential information disclosure relating to BI-BIP-ADM
- 2190621; 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N). SAP Netweaver SAL incorrect logging of addresses
- 2151108; 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N). SLDREG fixed key for encryption
The plot graph illustrates the distribution of CVSS v2 scores across the released Security Notes. The only notes taken into account to build it, were the ones to which SAP set a CVSS v2 (19 out of the 31 SAP Security Notes). As it's represented in the graph, the SAP Security Notes range values go from 2.1 to 7.5 with a median of 5.0.
Hot News from SAP
- 2235515 - Insufficient logging in SNOTE
- 2235514 - Standard RFC destination for note download can be overridden
- 2235513 - External RFC callback to customer systems in SNOTE
It's particularly interesting that these three 'Hot News' Notes, were already published last month as Hot News, yet all three SAP Security Notes now have a greater version and an updated Validity Date.
SAP Security Notes with higher CVSS scoring provided by SAP
- 2234226 - 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P). TREX / BWA: Potential technical information disclosure / host OS compromise. This note addresses a highly critical security vulnerability, which could allow an unauthenticated attacker to execute remote commands on the host where TREX Search Engine / SAP Business Warehouse Accelerator is running (with SIDadm rights), thus taking full control of the host Operating System.
- 2248673 - 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P). Security vulnerabilities found in Apache Groovy Library used in SAP Customer Checkout. This note is related with the product SAP Customer Checkout for versions Release 1.0 Service Pack 00, Service Pack 01, Service Pack 02 Patch level PL12 and less, Service Pack 03 Patch level PL06 and less. It's based on the CVE-2015-3253, described as: "The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object."
- 2067570 - 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C). Potential denial of service in BI-BIP. This note prevents a Denial of Service for component BI Servers, security & CrystalReports viewing in BI platform.
- 2227169 - 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P). Potential remote code execution in SAP 3D Visual Enterprise Author, Generator and Viewer. This note addresses a buffer overflow in the component, which could lead to the application executing code of the attacker, or cause a general fault in the product which will cause its termination. What it explains basically, is what Data Execution Prevention (DEP) is and how important is to have it enabled.
- 2227855 - 6.8 (AV:M/AC:N/Au:P/C:P/I:P/A:P). SMP unauthenticated access to SysAdminWebTool servlets. This note prevents the possibility of an attacker to access to certain URLs on the SAP Control Center Admin UI for SMP 2.3 and the MBO support addon for SMP 3.0, without being verified the proper user belonging to the Administrator role. By accessing these URLs, a malicious user may issue a Denial of Service, or even compromise data.
- 2165583 - 6.6 (AV:N/AC:H/Au:N/C:P/I:P/A:C). SAP HANA secure configuration of internal communication. This note gives a series of recommendations to properly configure the security of SAP HANA. In certain insecure network scenarios, the SAP HANA internal services could be accessed without a required authentication; thus, being allowing an attacker to affect the availability, confidentiality and integrity of the SAP HANA System.
- 2238932 - 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P). Potential modif./disclosure of persisted data in Agentry Server. This note fixes a SQL Injection vulnerability which was present in the Agentry Server. A malicious user, may use custom queries to view or modify persistently data from the database.
- 2240755 - 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P). Missing authorization check in SAP ASE. This note fixes vulnerabilities in the SAP ASE XPServer. Exploiting these vulnerabilities, a malicious authenticated user may execute functions to which access should be restricted, escalating privileges, and even getting to execute arbitrary commands on the host machine.
Other corrections with High Priority (no CVSS provided by SAP)
- 2081677 - Unauthorized modification of stored content in FIN-SEM-CPM. This note fixes a security problem in the he component Corporate Performance Monitor, which could be abused by an attacker to modify the application content, persisting those modifications without authorization. Thus, obtaining authentication information from other legitimate users.
Other attack vectors
- Reflected Cross-site Scripting (XSS): Notes 2204160, 2168349, 2194572, 2165429
- Missing authority checks: Notes 2185273, 2228520, 2108479
- Information disclosure: Notes 2189178, 2018683, 2201796
- OS Command Injection: Note 2240946
- Cross-domain Redirection: Note 2198151
- Cross-site Request Forgery (XSRF): Note 1507735 (this note was previously released on September 2015)
- Cryptography issues: Notes 2117322 , 2151108
- Denial of Service: Note 2220064
- Incorrect logging: Note 2190621
- Security configuration guide: Note 412309
- Oracle Update: Note 850306 (This note was previously released on September 2015)
Each month Onapsis updatesthe Onapsis Security Platform (OSP) to allow you to check whether your systems are up to date with the latest SAP Security Notes. These updates ensure that systems are configured with the appropriate level of security to meet your audit and compliance requirements.
Stay tuned for next month’s Security Notes analysis from the Onapsis Research Labs.
SAP published their monthly post in their SCN space “The Official SAP Product Security Response Space", providing information about the SAP Security Notes.
Here it’s the link to the SAP blogpost: “SAP Security Patch Day – December 2015”