Analyzing SAP Security Notes October 2014 Edition
SAP is a complex and ever-changing system. Between changes introduced to SAP implementation to improve your business, and the application of Security Notes (Patches) to ensure mitigation of newly disclosed vulnerabilities, SAP is constantly evolving. In order to provide a scheduled flow of vulnerability mitigation information and security patches, SAP releases the majority of new Security Notes on the second Tuesday of each month.
Due to this regular disclosure of security alerts warning against potentially harmful issues, it is highly recommended to carry out periodic assessments on a monthly basis (at minimum) to ensure that existing security on your SAP systems does not become weakened. At Onapsis, we're very concerned about our client’s SAP system security, as well as the state of SAP security in general. In order to best assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.
The goal of this is to provide SAP clients with comprehensive information about the newly released notes and vulnerabilities affecting SAP systems, and to help guide testing of these systems within their organization. This month 34 SAP Security Notes were published by SAP (taking into account 11 Support Packages and 23 Patch Day Notes). Additionally, there were changes on how SAP communicates vulnerabilities reported by external security researchers, as it previously wasn't clear which were externally reported. Five of the vulnerabilities fixed this month were discovered by members of the Onapsis Research Labs:
- 2069676 by Will Vandevanter
- 2018682 by Will Vandevanter
- 2018681 by Will Vandevanter
- 2011396 by Will Vandevanter
- 2011395 by Will Vandevanter
Here you have a plot graph illustrating the distribution of CVSS scores of the Security Notes released in October. The only notes taken into account where the ones for which SAP set a CVSS (19 out of the 34 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 4.3 to 7.5 with a median of 6.4.
Hot News from SAP There was an important high risk vulnerability making headlines that affects SAP cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. SAP AG reported that "[..]an attacker may potentially misuse these cryptographic libraries to spoof Digital Signtarues produced in vulnerable systems". More Information can be found in our previous blogpost. SAP Security Notes with higher CVSS score provided by SAP:
- 2043404; 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) (updated Nov 4, 2014) 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C). Fixes an arbitrary command injection on module CRM Internet Sales. An attacker may introduce code of his/her own and potentially take full control of the SAP System.
- 2067972; 7.5 (AV:N/AC:L/AU:S/C:N/I:P/A:C). Fixes a vulnerability in HANA XS Administration module. An attacker may send a specially crafted input to insert persisted data into the HANA database.
- 2052082; 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P). Addresses a problem in SAP Environment, Health, and Safety. There is a directory traversal vulnerability in certain components of the product which could allow an attacker to access information he or she should not be able to view.
- 2042845; 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Fixes a potential denial of service in the SAP Enqueue Server. The Enqueue Server could be targeted by a remote unauthorized attacker causing the exhaustion of its resources, thus rendering it unavailable.
- 2037492; 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Fixes a potential denial of service against SAP Router. By exploiting this vulnerability, an attacker could launch specially crafted requests to the Router. This would cause the process to consume excessive resources and become unavailable.
- 1966655; 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Fixes a potential denial of service in Internet Communication Manager (ICM). An attacker may send an specially crafted request to exhaust all the ICM resources and potentially render it unavailable.
- 1986725; 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Fixes a potential denial of service against SAP Start Service and SAP Host Agent. The attacker may send HTTP/S packets that could lead to a resource exhaustion condition of the services, causing a denial of service.
- 2076845; 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C). Adds an enhancement for session handling in the Payroll Process.
- 1965819; 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P). Fixes a SQL injection in BW-WHM-DBA, which could allow an attacker to view and modify information persisted by the SAP system.
Three other Notes with lower CVSS score, but important to take into account:
- 2018682; 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N). Fixes a potential information disclosure using the Business Intelligence Development Workbench. By exploiting this vulnerability, an unauthorized attacker may access information stored in documents which should be restricted to the attacker.
- 2011395; 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N). Fixes potential information disclosure of audit event details in the component: BI-BIP-ADM User & Server configuration, InfoView refresh, user rights.
- 2069676; 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N). Addresses a vulnerability which could allow an unauthorized user to modify the displayed content of SAP HANA through exploiting a component of the SAP HANA Web-based Development Workbench. (through a reflected XSS).
Other corrections with High Priority (no CVSS provided by SAP):
- 1872638 and 1835691; Both notes fix code injection vulnerabilities in the component CRM-MKT-MPL-TPM-PPG Promotion Guidelines. These could allow an attacker execute arbitrary code on the system.
- 1810405; Fixes a possible persisted change of data in the component EHS-SAF Product Safety through a SQL injection. Thus, an attacker could potentially exploit the vulnerability sending specially crafted inputs being able to modify data in the system.
- 1936898; Addresses vulnerabilities in the CRM Mobile Client. One of them could allow malicious files to be uploaded through the mobile client application which are then saved inside the central database of the component, and are accessible to the rest of the Mobile Clients connected to the system.
- 2022179; Fixes a problem in the SAP Contract Accounting component which could allow an attacker to insert specially crafted SQL queries modifying the database or retrieving information to which access should be restricted.
Other attack vectors:
- Missing Authority Check: Notes 2018681, 2054616, 2011396, 2050329, 2027997, 2057196, 2080679, 2080283, 2079818
- Command Injection: Note 1906212
- Missing authority checks: Notes 1986396
- Reflected Cross Site Scripting (XSS): Note 2010153
- Information disclosure: Notes 2049141, 1707816
- Security Note update: Note 2045176
- Security Improvement in RFC CallBack: Note 1686632
Each month Onapsis updates our leading security solutions, the Onapsis Security Platform, and Onapsis X1 so you can be sure that your systems are up to date with the latest SAP Security Notes, and are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs by checking back on our blog or following us on twitter at @Onapsis.