Analyzing SAP Security Notes September 2015
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.
At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.
Between the last published SAP Security Tuesday and today, there were 32 SAP Security notes published by SAP AG (taking into account 7 Support Packages and 25 Patch Day Notes). Onapsis Research Labs reported the following SAP Security Notes:
2197397 - Potential remote code execution in SAP HANA Extended Application Services (XS). Reported by Nahuel D. Sánchez.
2191529 - Potential information disclosure relating to Transaction SCI (Code Inspector). Reported by Sergio Abraham and Juan Perez-Etchegoyen.
The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account to build it, were the ones to which SAP set a CVSS (17 out of the 32 SAP Security Notes). As it's represented in the graph, the SAP Security Notes range values go from 3.5 to 9.3 with a median of 4.3.
Hot News from SAP
- 2197397 - 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) – As mentioned before, this note was reported by Nahuel D. Sánchez, from the Onapsis Research Labs. The security note patches a critical vulnerability in SAP HANA Extended Application Services, which could let an attacker to take complete control of the product; thus, viewing, editing or even deleting data. It is extremely important for HANA customers to apply this security note.
- 850306 – (CVSS vector not provided by SAP) – This Security note summarizes several Oracle patches linked to SAP products.
SAP Security Notes with higher CVSS score provided by SAP
- 2197100 - 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) - OS injection through call of function module by SM37. The note fixes a security bug in the function module SCTC_REFRESH_EXPORT_USR_CLNT. This function module could be called through transaction SM37 and let a malicious user to execute OS commands.
- 2200806 - 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) - Missing authorization check in Foreign Trade. There was a missing authorization check in the product Foreign Trade, thus an authenticated user may access functions to which access should be restricted.
- 2183189 - 4.9 (AV:N/AC:M/Au:S/C:P/I:N/A:P) - Untrusted XML input parsing possible in the runtime of SAP NetWeaver Business Client. The note fixes a vulnerability in the XML parser of the product SAP NetWeaver Business Client (NWBC). A malicious user may send a specially crafted XML file, which will retrieve information or access network located resources accessible from the parsing system. It could also be possible to send a modified XML file in such a way that it will cause a Denial of Service (DoS) of the component.
- 2193389 - 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) - Potential modif./disclosure of persisted data in SAP Batch Processing. The note prevents a SQL Injection in the SAP Batch Processing, an attacker may exploit this vulnerability to retrieve data or even change it.
Other corrections with High Priority (no CVSS provided by SAP)
- 2185233; Missing authorization check in Revenue Recognition. The note adds authorization checkings in some functions of the module SAP Revenue Recognition. The lack of proper authorization checking may permit an authenticated user without proper permissions to access functions of the Revenue Recognition component to which access should be restricted.
- 2184117 Missing authorization check in Foreign Trade. The note fixes improper authorization checkings in some functions of the Foreign Trade component, which could let an authenticated user to use functions to which access should be restricted.
- 1507735; Unauthorized use of application functions in IS-Media. The note fixes a vulnerability in the IS-Media. As the product uses specific URLs to execute certain functions, a malicious user may create a crafted URL and send it to the victim so that it executes an action in the product IS-Media (this action will be executed with the user rights of the victim).
- 1835366; Potential disclosure of persisted data in AP MD BP. The note prevents a SQL Injection vulnerability in the SAP Business Partner module. A malicious user may manipulate certain SQL statements of the product to retrieve data from the database.
- 2180655;Missing authorization check in Condition Maintenance. The note fixes improper authorization checkings in some functions of the Condition Maintenance component, which could let an authenticated user without proper access rights, to access its functions.
Other attack vectors
- Cross-site Scripting (XXS)
- Missing authority checks: Notes 2197174, 2165838, 1562697, 2178356, 2192350, 2192554, 2028525
- Information disclosure: Notes 2180555, 2191529,
- SQL Injection (SQI): Note 1777867
- • Update to older notes: Notes 2205421, 2205521
From this month on, SAP will publish a monthly post in their SCN space “The Official SAP Product Security Response Space”, providing information about the SAP Security Notes.The first post is called: “SAP Security Patch Day - August 2015”; and it has information about the latest SAP Security Notes released by SAP. The data included in the blog provides a graphical representation of the “type of vulnerabilities” that were fixed (i.e.: Cross-site scripting, Information disclosure, Memory corruption) and also the number of SAP Security Notes, by priority during the last six months.
Each month Onapsis updates our solutions to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as ensuring those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs. If you aren’t already doing so, be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information.