SAP Security Notes September ‘18: Critical Bug in SAP HANA XS
Today SAP released 18 security notes for September’s Security Patch Day. Another five have been published in the last month, making a total of 23 Security Notes this month. One of the highlights of this month’s publication is another critical bug in SAP HANA XS Engine that could be remotely and unauthenticated exploited, causing a Denial Of Service or even a potential remote code execution (RCE). Reported by Onapsis, this bug was fixed and published as the High Priority Security Note #2681207 titled, “DOS vulnerability in SAP HANA, Extended Application Services Classic Model.”
As a result of the Onapsis Research Labs’ continuous effort in SAP HANA security, we recently reported another security bug found in HANA that leads to this month’s High Priority publication and fixes a serious vulnerability in the XML parser of SAP HANA XS. Applications written with the HANA Studio and its related tools are susceptible to be interrupted by such an attack. These are run by HANA xsengine.
Just to clarify, the official term SAP HANA XS Extended Application Services is referred to both as SAP HANA XS Engine and xsengine.
The attack can be carried out by an attacker by sending a large crafted request to a default API or ODATA services present in a HANA XS system abusing the XML parsing failure of one of the libraries which are used by xsengine to parse XML data strings. The malicious request can be remote and unauthenticated, that is, it does not need to be local or come from an authenticated user and no user credentials are needed. Our researcher, Martin Doyhenard, who found the bug, also discovered two approaches for exploiting the vulnerability.
The first one makes, after repeated attempts at sending the attack, the xsengine stop responding in all of its threads. This way the only symptom will be the unresponsiveness of the applications, and the daemon responsible to keep HANA services running will see nothing to fix, and neither will a system administrator, who will need to restart the system without having any clue of such an attack. In other words, this is a Denial of Service (DoS) attack.
The second way of exploiting this bug, using a buffer overflow, makes the xsengine and the running applications within it crash. The applications will be seen as not available or unresponsive by the users. The HANA’s daemon will note that and proceed to restart the crashed xsengine and system applications will be available again after some minutes. This may be seen as a less harmful situation but will be the the choice of an attacker trying to leverage on it to achieve an RCE. With such successful attack, the system may be fully compromised.
As described in the SAP Note, the vulnerability has been fixed in the following versions:
- SAP HANA 1.00 SPS 12 revision 122.13
- SAP HANA 2.0 SPS 1, revision 12.02
- SAP HANA 2.0 SPS 2, revision 22
- SAP HANA 2.0 SPS 3 (which is not affected since the first release)
Despite the fact that these revisions have been available for several months, some customers may have not applied the patch due to the lack of knowledge of the risks involved. So, after this publication, we highly encourage SAP users to update to these or later versions.
In summary, the security issue found, if abused, can make HANA XS Extended Application Services supported applications unresponsive and there is a real chance that it can also be used in a more sophisticated attack, to leverage on it for a potential RCE, that could be an extremely serious system compromise. The vulnerability was fixed by the vendor and published with a CVSS of 7.5 (despite it being originally reported with CVSS 10 due to the potential RCE attack vector that is commonly present in this type of bug).
Nevertheless, a DoS attack is the easiest one to perform abusing this vulnerability and a more complex attack would require time and resources that should also be available for targeted attacks.
A Recurring Hot News and Other High Priority Notes
This month’s Hot News has the Security Note #2622660 which was updated once again with new security updates for the browser control Chromium delivered with SAP Business Client. This fourth release came with new Chromium browser control patches to several vulnerabilities found and fixed. These affect the SAP Business Client 6.5. Remember that in Note #2302074, SAP advised to use the last available version because it contains the latest fixes and features. It is also recommended to uninstall any previous versions. This note was tagged as Hot News even while it has no CVSS score yet, but, as can be seen in Chrome's Releases channel, there are five of the 42 security fixes tagged as High Priority.
We have analyzed this note each time since its first release in April’s monthly SAP Security Note, including the latest release in July.
In addition to the High Priority note DOS vulnerability in SAP HANA, Extended Application Services Classic Model (#2681207) reported by Onapsis and described at the beginning, this month’s remaining three High Priority notes are discussed:
- Information Disclosure in SAP Business One (#2670284) - This important vulnerability resides in the SAP Business One software for HANA. Versions 9.2 and 9.3 are affected. It is possible, under certain conditions, where Cristal Reports and SAP HANA installer may have access to sensitive information it shouldn’t. A customer has to upgrade or implement the corresponding Patch Level as directed by the note.
- Missing XML Validation Vulnerability in BEx Web Java Runtime Export Web Service (#2644279) - In SAP BI Java runtime there are some export services, and in the case of the one for web, it has an XML vulnerability that is not validating XML documents properly. SAP explains it affects only exporting ABAP list views (ALV) to PDF. The affected versions of SAP Netweaver BI are 7.30, 7.31. 7.40, 7.41 and have to be patched to fix this security issue.
- Cross-Site Scripting in NW AS Java Logon Application (#2623846) - This vulnerability affects many SAP Netweaver AS Java in its Logon Application. All affected versions (7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) have to be patched to not allow attackers abuse of this XSS vulnerability which may lead to defacements, users credentials compromises, or user impersonation.
With five total critical notes, including a critical attack vector over SAP HANA XS, this month has several patches to apply and take care. Here's a summary of the types of bugs that were patched this month by the vendor:
As always, the Onapsis Research Labs is working to update the Onapsis Security Platform in order to include these newly published vulnerabilities in our solution, to allow our customers to check whether their systems are up to date with the latest SAP Security Notes. Stay tuned to our blog or follow us on social media, in order to receive more data about the latest SAP security issues, especially our monthly blog post every second Tuesday of the month.