Analyzing SAP Security Notes October 2015

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis.

At Onapsis we are very concerned about our client’s SAP system security, as well as the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and to help guide testing of these systems within their organization.

From the last published SAP Security Tuesday and today, there were 29 SAP Security notes published by SAP AG (taking into account 9 Support Packages and 20 Patch Day Notes). This particular month, several members from the Onapsis Research Labs were mentioned in the SAP Acknowledgments to Security Researchers page:

  • Alejandro Burzyn
  • Fernando Russ
  • Jordan Santarsieri
  • Juan Perez-Etchegoyen
  • Nahuel D. Sánchez
  • Pablo Artuso
  • Pablo Muller
  • Sergio Abraham

This notable acknowledgement is due to several SAP Security Notes released this month which are related to advisories previously reported by Onapsis. These include:

  • 2197428 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C) - Potential remote code execution in HANA
  • 2203591 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) - TREX/BWA installation can be attacked via RFC-Gateway. This note provides guidelines to securely configure the SAP Gateway in order to avoid an attacker to abuse it, reaching the TREX server through it.
  • 2149706 5.5 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - (AV:N/AC:L/Au:N/C:P/I:N/A:N). Potential information disclosure relating to NW AS Java.
  • 2197459 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) - Potential log injection vulnerability in SAP HANA audit log.
  • 2170806 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P - DataVault password retry count resets incorrectly.
  • 2216869 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) - Security improvement of HANA authentication.
  • 2074276 1.5 (AV:L/AC:M/Au:S/C:P/I:N/A:N) - Potential information disclosure relating to user logon data that is used in SAP Download Manager.

The plot graph illustrates the distribution of CVSS scores across the released Security Notes. The only notes taken into account were ones that SAP set a CVSS (18 out of the 29 SAP Security Notes). As represented in the graph, the SAP Security Notes range values go from 1.5 to 9.3 with a median of 4.35.

Hot News from SAP

  • 2197428 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - As previously mentioned, this note was reported by Nahuel D. Sánchez, from the Onapsis Research Labs. This security note patches a buffer overflow vulnerability in the SQL interface of SAP HANA Extended Application Services, which could allow an attacker to inject code into the working memory of the application. By injecting code into HANA working memory, the attacker could fully compromise the product, thus being able to view, change or delete data. By injecting code, it could also terminate the running HANA service (causing a Denial of Service).


SAP Security Notes with higher CVSS scoring provided by SAP

  • 2037304 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) - Lacks proper input validation in the SDCC Download Function Module. This note implements a new control in the input parameters of a function related to the SAP Service Data Control Center.
  • 2203591 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) - TREX/BWA installation can be attacked via RFC-Gateway. This note provides guidelines to securely configure the SAP Gateway in order to avoid an attacker to abuse it, reaching the TREX server through it.
  • 2179615 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Potential remote code execution in SAP 3D Visual Enterprise Author, Generator and Viewer. This security Note fixes a buffer overflow vulnerability present in SAP 3D Visual Enterprise components, which could allow an attacker to take full control of the product.
  • 2194730 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) - Multiple vulnerabilities in SAP Mobile Document Android Client. This note fixes multiple problems in the product; the first one was related to the OAuth mechanism, in which the SSL errors were not taken into account, thus the login continued without any impediment. The second security problem was due to improperly setting permissions to FileContentProvider folders; thus, an attacker may get information which access should have been restricted.
  • 2149706 5.5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Potential information disclosure relating to NW AS Java. This Note prevents from leaking information about host names or SIDs, by using an SLD UI.
  • 2197459 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N - Potential log injection vulnerability in SAP HANA audit log. This note prevents a malicious user to inject additional fields into the SAP HANA Audit Log.


Other corrections with High Priority (no CVSS provided by SAP)

  • 1957910 - Directory traversal in BC-CCM-FIL. One of the functions of the SAP Platform independent file names wasn’t validating correctly the path set, thus, allowing a potential attacker to get content information from remote files in the server.
  • 2189853- SAP Internet Communication Framework fails to validate HTTP_WHITELIST. This note fixes an issue with how the ICF validates an Access Control List, which was linked to client “000” exclusively, no matter which was the user client. Additionally, this note fixes an incorrect logout event being generated by taking into account the client “000” instead of the one that was indeed using the final user.
  • 2164133 - Potential remote termination and denial of service in IGS. The note prevents a Denial of Service in SAP Internet Graphic Server, caused by different possible causes (memory corruption which makes the process to terminate, parsing a specific crafted request that makes the process to consume excessive resources or making the process to read outside its memory space which will make the operating system to terminate it).
  • 1748129 - Potential modification of persisted data in AP MD BP. The Business Partner component had a SQL Injection vulnerability, which could be abused by an attacker to modify database commands, thus, modifying data persisted in the system.


Other attack vectors

Each month Onapsis updates the Onapsis Security Platform (OSP) to allow you to check whether your systems are up to date with these latest SAP Security Notes. These updates ensure that systems are configured with the appropriate level of security to meet your audit and compliance requirements.

Stay tuned for next month’s Security Notes analysis from the Onapsis Research Labs.

NOTE:
SAP published their monthly post in their SCN space The Official SAP Product Security Response Space, providing information about the SAP Security Notes.

The link to the October blogpost: SAP Security Patch Day - October 2015.

Leave a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.