Analyzing SAP Security Notes July 2014 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least. At Onapsis we are very concerned about not only our client’s SAP systems' security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
14 Security Notes were published by SAP (Patch Day and Support Package Notes) this month. The box-plot graph illustrates the distribution of CVSS scores across the Security Notes released by SAP. As compared to previous months the 14 security notes published in July is considered a small amount of Security Notes. The CVSS Score median was near 4.45 with one unique outlier with a CVSS score of 8.8. Regardless of the criticality of each note, at Onapsis Research Laboratory we have analyzed the technical impact of all the published notes. SAP Security Note with higher CVSS One of the most critical SAP security notes to apply this month is 2036562; with a CVSS score of 8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C). This note patches a SQL Injection vulnerability present in Afaria (a Mobile Device Management product form SAP). An attacker could abuse this vulnerability and use specially crafted inputs to execute database commands, which could lead to persistent data modification. Security Notes with High Priority
- Note 2028891, with a CVSS of 6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P), fixes a vulnerability which could let an attacker to take control over the Sybase ESP Studio 5.1 application.
- Note 2032811 fixes a vulnerability that allows an attacker to read arbitrary files on the remote server. Exposing confidential information or allowing for data corruption or altering the system behavior.
- The application Production Operation Dashboards (POD) has a vulnerability addressed in the Security Note 1987927 (with a CVSS of 4.6 (AV:L/AC:L/AU:N/C:P/I:P/A:P)). This note fixes the possibility of staying logged in even after clicking on the logout link. (This only applies if POD is being opened through a standalone URL).
Additional Technical Information
- Information Disclosure vulnerabilities [1985445, 1867507]
- Update to older security notes [2017050, 2026132]
- Cross-site scripting [1998770, 1988956, 1962104 (Stored)]
- Cross-site request forgery 
Other attack vectors
- 2028916 - Flaw in SMP Android Object API libraries
- 2028012 - Vulnerability in Afaria mobile device app when registering a device
Each month Onapsis updates our flagship product Onapsis X1 to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as ensuring those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.