Analyzing SAP Security Notes November 2015
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis.
At Onapsis we are very concerned about our client’s SAP system security, as well as the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide testing of these systems within their organization.
From the last SAP Security Tuesday to today, there were 23 SAP Security notes published by SAP (taking into account 8 Support Packages and 15 Patch Day Notes). This month, Onapsis Research Labs researchers were acknowledged by SAP for having reported a cryptographic weakness in the CommonCryptoLib library. The researchers mentioned were:
- Fernando Russ
- Pablo Artuso
- Sergio Abraham
The plot graph illustrates the distribution of CVSS scores across released Security Notes. The only notes taken into account were the ones that SAP set a CVSS (7 out of the 23 SAP Security Notes). As represented in the graph, the range of SAP Security Note values go from 2.1 to 7.1 with a median of 5.0.
Hot News from SAP
- 2235515 - Insufficient logging in SNOTE. The log of the SAP Note assistant, was not logging the RFC destination; by applying this note, the data will be available in the log.
- 2235514 - Standard RFC destination for note download can be overridden. This note fixes a security issue in the SCWN_NOTE_DOWNLOAD program, which was capable of downloading an incorrect file that an attacker may set in an internal SAP table.
- 2235513 - External RFC callback to customer systems in SNOTE. The function SCWN_NOTE_DOWNLOAD allows a server to execute an RFC function (it must be one of the RFC callback enabled ones) in the client who started the connection. This note fixes this vulnerability.
- 2235412 - Security Vulnerabilities in SAP Download Manager. This note fixes multiple security bugs present in the SAP Download Manager application (Improper certificate validation, insecure network communication, improper validation of file type and location where it will be downloaded).
- 2233617 - Security Vulnerabilities in SAP Download Manager. Fixes communication vulnerabilities which could allow an attacker to execute man-in-the-middle attacks.
SAP Security Notes with higher CVSS scores provided by SAP
- 2238619 - 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) - This note fixes potential memory corruption in the SAP Plant Connectivity component. By exploiting this vulnerability, an attacker could cause the process to read outside of its memory space limits, thus causing the operating system to end the application process. The application will be kept down, and would require a manual restart.
- 2197100 - 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) - This note fixes a security bug in the component Automation Content for ABAP based Technical Configuration. If exploited, an attacker could execute OS commands through calling a specific function module through transaction SM37.
- 2221082 - 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - This note addresses a security problem found in the components: WEBCUIF and CRMUIF. Through these vulnerabilities, an attacker could take control of a victim's browser to navigate to specific URLs, which will be executed by WEBCUIF and CRMUIF with the rights of the authenticated user.
Other corrections with High Priority (no CVSS provided by SAP)
- 2198580 - This note corrects part of the syntax of ABAP, to prevent a malicious developer from executing arbitrary program code, and taking full control of the system.
- 2043119 - This note fixes missing authorization check for user exits in Liquidity Planner.
- 1937165 - This note fixes a directory traversal vulnerability for the US-bank statement/lockbox component. If exploited, attackers could write arbitrary files on the remote server.
Other Attack Vectors
- Stored Cross-site Scripting (XSS): Note 1744879
- Code injection: Note 2162829
- Information disclosure: Notes 2001109, 2235795
- Cryptography issues: Notes 2240274, 2223008
- Denial of Service: Notes 2218957, 2218411
- Cross-domain redirection: Note 2193214
- Update to security notes: Notes 2237846, 2120370
Each month Onapsis updates the Onapsis Security Platform (OSP) to allow you to check whether your systems are up to date with the latest SAP Security Notes. These updates ensure that systems are configured with the appropriate level of security to meet your audit and compliance requirements.
Stay tuned for next month’s Security Notes analysis from the Onapsis Research Labs.
SAP Security Patch Blog
SAP published their monthly post in their SCN space “The Official SAP Product Security Response Space,” providing information about the SAP Security Notes.
SAP November blog: “SAP Security Patch Day - November 2015”