SAP Security Notes May ‘19: Several Missing Authority Checks Patched

Today, being the second Tuesday of the month, SAP released May’s Security Notes. This month, there are no critical or Hot News notes published, but there are three High Priority Notes, as well as two other SAP Security Notes affecting SAP Solution Manager (reported by the Onapsis Research Labs). This month, 50% of the patches are Missing Authorization Checks, which is higher than the average 15%. Even though this is one of the most common vulnerabilities in SAP software.

A total of 11 Security Notes were published in May and an additional three in late April after last month’s Patch Tuesday, represented in these types: Missing Authorization Checks (the most common type of vulnerability in SAP software), Information Disclosure, Cross-Site Scripting (XSS) and Privilege Escalation.

Yesterday, ASUG (America’s SAP Users Group) published a blog post that includes an interview with SAP’s CISO Tim McKnight and Onapsis founder and CEO, Mariano Nunez, where they discussed how the two organizations continue to partner to protect customers from cyber risks, such as 10KBLAZE. Related to this, SAP has re-released SAP Security Note #1408081 “Basic Settings for reg_info and sec_info” from 2010. This is the note related to SAP Gateway access list security. SAP has updated data, such as affected versions and specific wording around the latest 10KBLAZE misconfiguration, in order to help customers better understand the risk and remediate as soon as possible. 

In addition to reading this monthly analysis of the most critical published notes, it is important to have a full patch management process to keep all SAP systems protected and up to date with security patches. One of McKnight’s quotes in the aforementioned interview is a good summary of why we write this blog post every month; “50,000 may be the number [of SAP customers affected] published, but we believe one customer is too many.” So, if you are that SAP customer reading this, you must ensure your environment is as secure as possible, and hopefully the Onapsis Research Labs analysis is a good starting point.

High Priority Vulnerabilities: Three Notes, Three Platforms, Three Types

As mentioned previously, this month there are three notes tagged as High Priority Notes. 

The one with the highest CVSS Score is SAP Security Note #2756453 “Insufficient page protection in S/4HANA for customer management,” with CVSS v3.0 of 8.5. This is a classic XSS vulnerability that could lead to client-side attacks, including defacing web content for a specific user, or even stealing authentication data from the victim. Take into account that this note requires manual steps that need to be executed before the package is installed. Based on this, some workarounds are detailed in the note, too. 

The note with the next highest CVSS Score  of 8.4. SAP Security Note #2776558 patches a Missing Authorization Check in SAP Funding Management. The note is published in German, but should be translated to English soon. As with every missing authority check, the note adds the missing exams to avoid a malicious user having rights extension that may lead to abusive use of features.

Finally, SAP Security Note #2784307 “Privilege Escalation in SAP Identity Management REST Interface Version 2” (CVSS v3.0 of 8.3) was externally reported (meaning it was not found by SAP itself) and that’s why it includes its CVE number: CVE-2019-0301. In this case, users may be able to change privileges instead of only being able to see this data, which may lead to loss of confidentiality or integrity of systems connected to SAP Identity Management. Apply the patch to fix it.

Onapsis Research Labs Helps SAP Patch Vulnerabilities in Solution Manager

As a part of the continuous collaboration the Onapsis Research Labs engages in with SAP, two vulnerabilities affecting SAP Solution Manager have been fixed.

As we mentioned in previous publications, missing authorization checks continue to be one of the most common vulnerabilities found in SAP software. Tagged as Medium Priority (CVSS v3.0 of 5), SAP Note #2756625 “Missing Authorization Check in Check of RFC Destinations on SAP Solution Manager and ABAP Managed Systems,” completes a set of vulnerabilities reported by our lead researcher Matias Sena. In all cases, the notes were related to improper authorization checks for different ABAP functions that allow RFC connections management. This means a potential attacker would be able to enumerate RFC connections or get technical details for them. An attacker could gather communications information between systems. See the Onapsis SAP Security Notes December ‘18 blog post for more details about possible scenarios for this vulnerability.

Inside the Solution Manager architecture, the CA Introscope is the software component responsible for gathering information about performance and other monitoring metrics. 

The credentials used to send that information from Introscope Enterprise Manager to Solution Manager were found by our researcher, Yvan Genuer, inside an unencrypted file referenced as a property. This vulnerability was scored as a Medium Priority with a CVSS v3.0 of 4.3. To fix it, please follow the instructions detailed in SAP Note #2748699 “Information Disclosure in Solution Manager 7.2 / CA Introscope Enterprise Manager” and make sure that you are installing the correct Management Module for CA Introscope version the system is running.

This month Matías Sena and Yvan Genuer from the Onapsis Research Labs have been acknowledged by SAP on their webpage, based on their findings and reports. As always, we are working on updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements.

Please follow our blog or follow us on Twitter for more information about the latest SAP security issues and stay tuned for our continuous efforts to share contents with the security community.