SAP Security Notes June ‘19: SAP Increased Priority for SAP Solution Manager Patch

Highlights of June’s SAP Notes analysis include:

  • High Priority SAP Note related to Solution Manager — SAP increased criticality for this note that was first released as Medium Priority but changed to High Priority due to new CVSS score
  • HotNews related to Google Chromium— The only HotNews this month is a recurring note to patch a Google Chromium component in SAP Business Client
  • Security notes reported by Onapsis Research Labs —  In addition to the re-released High Priority note, SAP also published four new SAP Security Notes reported by Onapsis researchers, affecting several platforms including one for mobile applications
  • Onapsis has reported more than half of the patches SAP has published related to mobile applications in the last year

High Priority SAP Note Related to Solution Manager 

In today’s SAP Patch Day, two SAP Security Notes are marked as a top priority and both have been previously released. SAP Security Note #2748699 affecting SAP Solution Manager, changed priority, from Medium to High (the only one in this category this month). This note was originally released in May, having been reported by Onapsis Research Labs. Due to continuous communication between our research team and SAP’s Security Response Team, SAP has increased its CVSS score from 4.3 to 7.1, making it now a High Priority note. If successfully exploited, this vulnerability (CVE-2019-0291) may lead to an attacker getting valid user credentials and the ability to create privileged users accounts. The CVSS score was increased due to new high impact to confidentiality. This is not an easy patch to apply. Several manual steps are detailed in the note that include not only how to install the fixed software component, but also the dependencies on other SAP Security Notes that should be applied first, and finally how to perform manual steps to secure and properly encrypt credentials. 

HotNews Related to Google Chromium 

SAP Security Note #2622660 appears again as the only HotNews of the month, being the fourth time this year to be released. Titled Security Updates for the Browser Control Google Chromium Delivered with SAP Business Client, we have talked about this note for several months since its original publication in 2018. This fix is not an SAP vulnerability by itself, but the problem occurs when an SAP Business Client is running on an outdated Chromium and a possible attacker could achieve SAP Business Client user access to execute malicious code. Even though it is published as HotNews, the real impact depends on which Chromium vulnerability is being exploited, since the note updates the whole component that has patches for different bugs such as remote code execution, information disclosure, Denial of Service (DoS), or even session hijacking. To avoid unnecessary risks, we recommend users not use SAP Business Client browser for activities other than SAP related. 

Security Notes reported by Onapsis Research Labs 

This month SAP fixed four new vulnerabilities reported by the Onapsis Research Labs, three of them reported as Medium Priority and the fourth one as Low Priority.

SAP Security Note related to BusinessObjects. The one with the highest CVSS Score of 6.1 (CVE-2019-0303) is SAP Security Note #2637997 related to a cross-site scripting vulnerability impacting SAP BusinessObjects (SAP BusinessObjects Business Intelligence Platform 4.2 SP 05 and above). A remote unauthenticated attacker could craft a malicious URL capable of running arbitrary JavaScript code in the victim’s web browser, potentially allowing the attacker to have administrative access if the victim is a BusinessObject privileged user.

SAP Security Note related to SAP HANA XSA. SAP Security Note #2771128, titled Information Disclosure in SAP HANA Extended Application Services (advanced model) is a vulnerability exploitable by remote, low privileged users affecting SAP HANA XS Advanced. With CVSS v3.0 Score of 4.3 (CVE-2019-0306), if exploited it could deceive the application into revealing sensitive information such as valid admin usernames.

SAP Security Note related to SMP Mobile Platform. A set of vulnerabilities recently reported by our Research Labs focused in SAP mobile products, SAP Security Note #2793805 is a fix for a previously released security note (#2725538). Both notes affect the SMP Mobile Platform. The first one fixes the SDK used to develop mobile applications, but the note released this month (CVSS score of 5.5) fixes the potential DoS in the mobile applications: SAP Inventory Manager and SAP Work Manager. Onapsis has helped fix 70% of mobile-related notes in the last year, with seven out of the ten SAP Notes having been reported by our research team. 

SAP Note related to Diagnostic Agent. This fourth note released based on formerly reported vulnerabilities by our researchers is the only one in this section tagged as Low Priority. SAP Note #2772266 fixes a vulnerability allowing an attacker with local and low privileges to read sensitive information. SAP Diagnostic Agent usernames and passwords are not properly encrypted by default and a successful attacker may be able to gain access to it and reutilize them later to gain access to other systems using this high privileged user. Even though its CVSS score (3.4) is low, its exploitation combined with other bugs may be part of a critical attack.

Summary & Conclusions

Since last May’s Patch Day, a total of 19 Security Notes were published. Below is a summary of the types of vulnerabilities that were fixed after that month’s Security Notes Patch Day.  Represented are these types: Information Disclosure, Cross-Site Scripting (XSS) and Switchable Authorization Checks.

SAP

For the eighth month in a row, SAP recognized four researchers from the Onapsis Research Labs: Yvan Genuer, Gaston Traberg, Nahuel Sanchez and Pablo Artuso. They have helped SAP improve the security and integrity of their customers’ IT systems (no other security reporters have consistently been recognized as much as the Onapsis Research Labs).

As we regularly do at Onapsis, we will continue to publish our SAP Security Notes Patch Day analysis blogs every Patch Tuesday and work to update the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements.

For more information about the latest SAP security issues and to stay in tune with our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.