Analyzing SAP Security Notes February 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least. At Onapsis we are very concerned about not only our client's SAP system security but the state of SAP security in general, so to assist SAP's customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization. This month 33 Security Notes were published by SAP. Of these 33 notes, Onapsis Research Labs reported 10 of the underlying issues that have been addressed by SAP:

  • 1791081 by Sergio Abraham
  • 1768049 by Sergio Abraham
  • 1920323 by Sergio Abraham
  • 1915873 by Sergio Abraham
  • 1914777 by Sergio Abraham
  • 1911174 by Sergio Abraham
  • 1795463 by Sergio Abraham
  • 1789569 by Sergio Abraham
  • 1738965 by Sergio Abraham
  • 1939334 by Juan Pablo Perez Etchegoyen, Jordan Santarsieri and Pablo Muller.

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in February. 22 out of the 33 SAP Security Notes were assigned a CVSS number by SAP, the remainder have had a CVSS calculated by us. As shown by the graph the SAP Security Notes have a wide range of scores (and by implication a wide range of impacts across an organization) illustrating the variety of notes published by SAP. Understanding the different metrics for each Security Note (such us Impact, Occurrence Probability, Priority, Products affected etc.) and also the most technical details of each one requires a significant amount of effort and time. This is the work that the Onapsis Research Laboratory does every month for our clients. Most critical SAP Security Note The most critical SAP Security Note to apply this month is 1963100; released as "Hot News" with a CVSS score of 9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C). Applying this note will prevent the execution of operating system commands using the CTC servlet by any malicious attacker. SAP Security notes 1905408 and 1846438 should also be considered a high priority, 1905408 has a CVSS of 8.3 (AV:N/AC:M/AU:N/C:P/I:P/A:C) and addresses a remote Denial of Service (DoS) in Business Object XIR3. 1846438 has a CVSS of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) and fixes a unauthorized use of application functions via AS Java. Additional Technical Information Hardcoded credentials [1914777, 1915873, 1920323, 1738965, 1795463, 1768049, 1911174, 1791081, 1789569] This type of vulnerability means that some of the SAP system objects were programmed with user credentials hardcoded into their code. This will affect the programs behavior, based on the user that initiates the call. There were 10 SAP Security Notes fixing hardcoded credentials issues in different ABAP reports, functions and methods. Examples of the affected ABAP Reports are: LSCSM_REPOSITORY_GETF01, LCNMMF04. Examples of the affected RFC functions are: CY27_SAVE_VIA_POI_INTERFACE. Other attack vectors remediated

  • Potential information disclosure in web AS ABAP and NW BPC.
  • Path traversal issues, some of the reports affected are HFILTAX0_FORMS0_ALV, HFISTWC0_FORMS, HFIUTMS0, HFISTWC0_FORMS, HFISTBC0_SUBR. [1913388, 1777988, 1771706, 1769611]
  • Potential unauthenticated Cross Site Scripting fixed in Business Planning and Consolidation. [1942332]
  • Missing authority checks were fixed in different RFC functions and ABAP reports. [1945300, 1911319, 1716640, 1915908]
  • Click-jacking in WebDynpro Java. [1781171]
  • SQL injection in report LSZRSF03. [1833327]

  Written by Nahuel D. Sanchez and Emiliano Jose Fausto

Leave a comment