Analyzing SAP Security Notes March 2015 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at minimum. At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
Since the last SAP Security Tuesday and today, there were 21 SAP Security notes published by SAP (taking into account 3 Support Packages and 18 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2122391 (by Sergio Abraham). The plot graph illustrates the distribution of CVSS scores across released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (16 out of the 21 SAP Security Notes). As represented in the graph, the SAP Security Notes value ranges from 3.5 to 6.8 with a median of 5.0.
Hot News from SAP There were no Hot News items published by SAP AG this month. SAP Security Notes with higher CVSS score provided by SAP
- 2115027; 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P). This note fixes a cross-site request forgery (XSRF) in Afaria. An attacker could trick an authenticated user's browser to make a request to a specific URL in the Afaria Server with certain parameters executing this request with the rights of the authenticated victim. SAP strongly recommends that customers apply Afaria 7 SP5 Hotfix 07.
- 2108161; 6.3 (AV:N/AC:M/Au:S/C:N/I:N/A:C). This note fixes a potential Denial of Service in SQL Anywhere database server.
- 2134905; 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P). This note corrects a vulnerability in XcListener (Afaria Client Listener process), which wasn't properly authorizing requests before launching the client.
- 1928951; 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P). This note prevents a SQL Injection vulnerability into system database. The vulnerability was discovered in a function of the "BC-SRV-UKM Unified Key Mapping" component.
- 2079002; 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P). This note prevents a reflected cross-site scripting (XSS) in the JAVA Logon Application. This XSS could be used by an attacker to deface or modify non-permanently the application content, and potentially get authentication information from a legitimate user.
- 2111939; 5.5 (AV:N/AC:L/Au:S/C:P/I:N/A:P). This note fixes a XML eXternal Entity vulnerability in the SAP component: "EP-PIN-PCD-ROL-UPL Role upload from ERP to Portal". This vulnerability would allow an attacker to perform a Denial of Service (DoS) in the XML parser, disclose local information of the server or even network resources to which the parsing system has access to.
Other corrections with High Priority (no CVSS provided by SAP)
- 2129892; This note prevents a Buffer overflow vulnerability. An attacker can abuse the component: "PA-PAO HR Renewal (Personal & Organisation)", causing a Denial of Service in the component, or even inject code into the working memory of it which would be executed by the application.
- 1679198; This note fixes a vulnerability in the component "FS-BA-IF-ERS Extraction & Reporting Services," which could allow an attacker execute arbitrary code in the application. The vulnerability can potentially lead to controlling the system behavior or privilege escalation.
- 1823920; This note prevents a Directory traversal in "CA-DMS Document management" (read-only). Which could result in information disclosure of content of local files located in the remote system.
Other attack vectors
- Missing authority checks: Notes 1944155, 2118946
- Reflected cross-site scripting (XSS): Notes 2114268, 2110556, 2098677
- XML External Entity (XXE) Processing: Note 2125513
- Information disclosure: Notes 2121869, 2091768
- Buffer overflow: Note 2132584
- Cross Application Scripting (XAS): Note 2116121
- RFC Destination - Reused stored credentials: Note 1640531
- SAP Netweaver SAL - RFC Function logging: Note 2122391
Each month Onapsis updates our solutions to allow you to check if your systems are up to date with these latest SAP Security Notes, and to help you ensure that systems are configured properly in order to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs. If you aren’t already doing so, be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.