Analyzing SAP Security Notes May 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. In order to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.


Between the last published SAP Security Tuesday and today, there were several SAP Security notes, summing a total of 59 published by SAP AG (taking into account 30 Support Packages and 29 Patch Day Notes). External reported advisories come from 4 Onapsis researchers (Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso & Will Vandevanter) as well as 5 other external security analysts. SAP Security Notes reported by Onapsis were 2001108, 2121461, 2153765, 2153892, 2153898 and 2154165, affecting BI-BIP, SAPConsole and SAP HANA.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account to build it, were the ones to which SAP set a CVSS (23 out of the 59 SAP Security Notes). As it's represented in the graph, the SAP Security Notes values range from 2.6 to 8.5 with a median of 5.9.

Hot News from SAP

There was one major news story this month, affecting the SAP Adaptive Server Enterprise (aka SAP ASE). This security bug, let an attacker log on to an SAP ASE without proper authorization and obtain information about the server itself.

The vulnerability has been fixed in versions: - SAP ASE 16.0 SP01 - SAP ASE 15.7 SP132 - SAP ASE Cluster Edition 15.7 SP132

SAP Security Notes with higher CVSS score provided by SAP

  • 2155153; 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C). This vulnerability may allow an attacker to execute arbitrary code through JAVA in SAP ASE, potentially taking complete control of the product.
  • 2152278; 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C). The fix, prevents a SQL Injection vulnerability in SAP ASE that could let the attacker elevate privileges in the system. Also fixes a vulnerability with which an attacker may discover information relating to the machine on which the SAP ASE application is running.
  • 2127995; 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C). The fix addresses a vulnerability in the SAP Content Server. There was a memory corruption security bug, which could be abused by a non authenticated user to terminate running processes in the application.
  • 2124806; 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C). The fix addresses a vulnerability in the SAP GUI for Windows. There was a memory corruption vulnerability, which could be abused by a non authenticated user to terminate the SAP GUI by making it read outside its memory space.
  • 2121661; 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C). The note fixes a vulnerability in the SAP ABAP and JAVA Server. The vulnerability let an attacker to make the application to read outside its memory space, causing a memory protection fault. This will end in the termination of the running processes affected.
  • 2153690; 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C). This note fixes multiple vulnerabilities in SAP Afaria Server. The most critical are a Denial of Service (DoS) in the Afaria server, which could be exploted as a non authenticated user; and a Buffer overflow vulnerability present at some landscape configurations of SAP Afaria that utilize XComms for client to server communications.
  • 2155690; 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C). This note addresses a missing authentication check in certain landscape configuration of SAP Afaria SP5.
  • 2122840; 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P). This note fixes an error during the user verification, when the Logon Control was used. The affected application was the Windows SAP GUI.
  • 1980992; 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C). There was a TOCTTOU (Time of check to time of use) vulnerability in the SAP Host Agent, which could let an authenticated user to escalate to root privileges in the system.
  • 2153892; 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P). This note fixes a vulnerability in the SAP HANA Web-based Development Workbench, which could let an attacker to use specially crafted inputs to modify database commands; thus, retrieving or modifying data from the system.
  • 2085588; 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P). This note fixes a bug in SAP Service Data Download component, which could let an authenticated user to execute arbitrary operating system commands on the SAP server. Thus, taking control of the SAP system.
  • 2125316; 5.9 (AV:L/AC:M/Au:N/C:P/I:P/A:C). The fix addresses a vulnerability in the SAPCAR application. There was a memory corruption vulnerability, which could be abused by a non authenticated attacker to terminate the SAPCAR by provoking a condition that will make SAPCAR to read outside its memory space and cause a memory protection fault.
  • 2001108; 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P). This note fixes a security issue in the BI Platform, that could lead to a condition in which the process tryes to read outside its memory space. If a memory protection fault is present, the system could terminate this process; thus the application will be unusable till it's started again.

Other corrections with High Priority (no CVSS provided by SAP)

  • 2052677; This note fixes mainly a vulnerability, which would allow an attacker to execute arbitrary code. Thus, the attacker may take complete control of the system. Also, this note addresses 2 missing authentication checking in RFC functions related to component Computer Aided Test Tool.
  • 2153898; The note fixes a SQL Injection in the HANA Web-based Development Workbench, letting an attacker modify database commands. Also, this note fixes a Persisted Cross Site Scripting which could let an attacker to modify application content and pursue it without authorization.
  • 2153765; This note fixes a vulnerability in the SAP HANA Web-based Development Workbench, which could let an attacker to use specially crafted inputs to modify database commands.
  • 2138270; There was a missing authorization check vulnerability in the SAP Business Workflow. This note fixes it, thus preventing an authenticated user to access functions from SAP Business Workflow to which access should be restricted.
  • 2137784; This note fixes a vulnerability in the module GRC Audit Management, which didn't contain proper authorization checkings. This could let an user to access some functions to which access shouldn't be allowed.

Other attack vectors

  • Missing authority checks: Notes 2030377, 2029397, 2105634, 2131334, 2053788, 2053197, 2043447, 2138270, 2138219, 2138031, 2105620, 2105633, 2058351, 2053043, 2066851, 2143329, 2122022, 2118500, 2140238, 2067630
  • Cross-site scripting (XSS):
    • Reflected: Notes 2131065, 2131064, 2131062, 2131081, 2130467
    • Persisted: Note 2132305
  • SQL Injection (SQLi): Notes 2150625, 2153625
  • Directory Traversal: Notes 1783772, 1793635
  • Information disclosure: Note 2055083, 1985340, 2121461
  • Untrusted XML input parsing: Note 2090851

Security Enhancements

  • Update to security notes: Note 2166849
  • Better information detail: Note 2067259
  • New authorization check for RFC: Notes 2066943, 2152230, 2072357
  • RFC maintaining access control improvements: Note 2078596

Each month Onapsis updates our solutions to allow you to check if your systems are up to date with the latest SAP Security Notes, and to help you ensure that your systems are configured properly in order to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs. If you aren’t already doing so, be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.

Subscribe to our monthly newsletter, the Defender's Digest!