SAP Security Notes March 2017: Onapsis Helps Secure Critical Bugs in SAP HANA

Today SAP release its monthly Security Notes, as they do the every second Tuesday of every month. Among the 27 SAP Security Notes published today, 5 of them are related to SAP HANA, and were originally reported by Onapsis Research Labs. One of them, note #2424173, is the only SAP Security Note tagged as Hot News this month as it solves several vulnerabilities in the Self Service component (disabled by default) that can allow an attacker to fully compromise the SAP HANA system without the need of credentials. Another security note is tagged as High Priority is note #2429069 which is the first patch published for the recently released version of this platform, SAP HANA 2.0. In this case, default installations are affected and an attacker can elevate privileges if exploited.

The Onapsis Research Labs have been researching SAP HANA Security for serveral years, and have contributed to improve security of this product several times, contributing in total 39 SAP Security Notes for HANA reported by our team (65% of the 60 in total to date).

This month, our researchers Martin Doyhenard and Nahuel Sanchez discovered the two previously mentioned critical bugs. Below, we will review these vulnerabilities for a better understanding of the scope and impact of each one.

Hot News: Vulnerabilities in the User Self Service tools of SAP HANA

Self Service tool for SAP HANA allow users to activate some additional features such as password change, forgotten password reset, or user self-registration. Several vulnerabilities found in this component, and tagged with CVSS v3 Base Score of 9.80 lead to this unique Hot News of this month.

Through successful exploitation of these vulnerabilities, an unauthenticated attacker would be able to impersonate other users, even those of high privileged accounts. If exploited, these vulnerabilities would allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password.

This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information. If this risk is exploited, organizations may face severe business consequences.

Valid SAP HANA users can also escalate privileges in order to gain access to most powerful user of the database.

After finding this bug in the just released SAP HANA 2 version, we realized that older versions were affected too, including SAP HANA SPS 09 launched in 2014 and any further version from there.

It is highly relevant that this component is not enabled by default on this platform. So, If installing the note is not possible in the long term, we strongly recommend that users deactivate User Self Service, or add network filtering. You can check our dedicated site for SAP HANA Self Service vulnerability for further information.

SAP HANA 2: Session Fixation Vulnerability

As been mentioned before, SAP published HANA 2 last November. At this moment there are several companies in the process of, or considering migration to the new version. Our Team has always been dedicated to helping companies stay protected from such vulnerabilities, and as a result, have been performing research on this version ever since it was released. As such, we have reported findings to SAP so they can produce a patch to fully protect users from being affected by this vulnerability.

This particular bug was rated with a CVSS score of 8.8 (high). An update of the component will let users avoid an attack that can allow an attacker to elevate privileges by impersonating another user in the system.

As mentioned, only SAP HANA 2.0 SPS 00 revision 000 is affected, so if you are moving to this new version, make sure you have it properly updated to avoid this risk.

As in the past with other versions of SAP HANA, like SPS12, this is the first bug that has been patched for a new version of HANA, and was also reported by our team.

Onapsis Contributions

This month, contributions from the Onapsis Research Labs has been huge for SAP Security, not only because of the criticity of these newly patched vulnerabilities, but also due to an additional five Security Notes that were released based on our researcher’s findings, totaling seven of the published notes from Onapsis Research Labs (26% of the ones published today in March Patch Day). These are:

  • Two SQL Injection vulnerabilities for SAP HANA in SAP Security Notes #2426260 and #2428811. Both affect SAP HANA 1 SPS12 and HANA 2 SPS 00. Both reports have a CVSSv3 Base Score of 2.7.
  • An information disclosure in SAP HANA Cockpit for offline administration #2424120 that allows an authenticated user to access information that should not be accessed without privileges (CVSSv3 Base Score: 4.9).
  • Two more Missing Authority Check in SAP For Defense Products: #2381388 and #2378999 (CVSSv3 Base Score: 6.3). SAP has been patching Onapsis Reports of this platform for the last three months.

All of our researchers that contribute on this seven SAP Security Notes were acknowledged and recognized in SAP Webpage for this month security improvements.

March Notes Summary

As mentioned, 27 SAP Security Notes were published today and a total of 30 were published since last Patch Tuesday, including some that were published in late February and early March. There are a total of seven high priority security notes, including two Denial Of Service Attacks in SAP Netweaver Dynpro Engine and Visual Composer and a Remote Code Execution Vulnerability in SAP GUI For Windows. This last one includes manual steps to remediation so it is worth a read based on its criticality.

SAP has also alerted the SAP HANA Express Edition users should also update to the latest version.

As with every month, we are already in the process of updating our product the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow you to check whether your systems are up to date with these latest SAP Security Notes, and will ensure that those SAP systems are configured with the appropriate level of security to meet your audit and compliance requirements.

For Self Service vulnerability, we have released an Advanced Threat Protection (ATP) solution for this vulnerability in our product, so to give early detection capabilities to our customers.

If you have any further questions, remember you can access our dedicated site for SAP HANA Self Service Vulnerabilities and request to speak with one of our experts to check if your SAP HANA infrastructure is vulnerable.