On the second Tuesday of every month, SAP releases their latest Security Notes. This month there were 36 SAP Security Notes (taking into account 26 Support Packages and 10 Patch Day Notes & including the ones published after last second Tuesday). Of these notes, there are two important things to highlight:
- 1.) A critical vulnerability prioritized as Hot News, scored 9.9 CVSS v3, that could allow an attacker to inject code over a vulnerable component in SAP Solution Manager (Note #2301837).
- 2.) 24 of 36 security notes are related to a specific attack which is not often mentioned in SAP Security Notes: clickjacking. Let’s understand what is this attack and how relevant it is for your information security.
At Onapsis, we are very concerned about the security of our client’s SAP systems. To better assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this analysis is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems. This will help them to promptly update their systems to ensure that newly disclosed vulnerabilities are mitigated as quickly as possible.
If this is the first time you’ve heard about clickjacking in SAP Systems, you’re probably not alone. Before June 2016, there were only two Security Notes related to clickjacking (#2254425 from last month and #1781171 in November 2012), more than 90% of clickjacking notes were published in the last 30 days. Before analyzing how clickjacking affects SAP System, let’s understand the basics and the theory of the attack.
What is Clickjacking?
Clickjacking (also called "User Interface redress attack", "UI redress attack", or just "UI redressing") is an attack technique, that consists of using several transparent or opaque layers to trick a user into clicking on a hidden button/link in a web page while they think they’re clicking into the page that they’re seeing. In other words, a malicious user is hijacking clicks from the victim meant for their web page and routing them to another page.
Usually through iFrames, the attacker creates a visual illusion that the user is not aware of causing the user to not know where he is actually clicking. The user will think they are clicking on a harmless link, when in reality, they are clicking on a malicious component. As it is explained in this Sectheory image, clickjacking is a way of putting two pages that are seen as one:
Ways to defend against clickjacking
Although there is more than one way to protect your applications from this type of attack, the two main recommendations by OWASP are:
- 1. Send proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains.
- 2. Employ defensive code in the User Interface to ensure that the current frame is the most top level window.
Clickjacking in SAP Systems
SAP Security Note #2319727 “Clickjacking protection framework in SAP Netweaver AS ABAP and AS Java” explains the scope of this month’s clickjacking notes in great detail. Although clickjacking is a general attack vector not only targeting SAP applications, the latest notes provide a specific solution for this general web application threat.
For company scenarios in which only one domain is applicable, SAP approaches are based in frame busting which relies on domain relaxation. As mentioned in the notes, this “ensures that for your trusted domain the most scenarios will work with low configuration effort”. For multi-origin scenarios, this solution is combined with the security-proof postMessage API feature that requires a validation against a configured list of trusted hosts and domains on the backend.
Even though SAP has implemented the solution for the most relevant frameworks, administrators should take care of other custom applications that are based on JSP UI technology (note #2290783 gives more information about this).
It is important to emphasize that despite installing the SAP Security Notes, Clickjacking Framing Protection is disabled by default so an administrator should activate it after proper testing to ensure that information is protected, and usability is also ensured. To enable this protection, you should first implement the mentioned notes and configure the whitelist (see notes #2142551 for AS ABAP and #2170590 for AS JAVA).
High Priority & Hot News Notes
This month, there are three high impact notes:
- The most critical, was prioritized as Hot News by SAP: #2301837, Code Injection Vulnerability in SAP Solution Manager.
Its high score (CVSS v3 Base Score: 9.9 / 10) is mostly based on its high impact on all three elements (availability, integrity and confidentiality) due to the possible OS command injection on the affected method. This execution could even be used for a Denial Of Service attack, among other malicious command executions in the vulnerable system. SAP deleted the obsolete code, and this vulnerability can be prevented by patching the affected component by applying the correspondent note.
The other critical notes are:
- #2330839, Denial of Service (DOS) in multiple SAP Sybase products: With high impact in availability, an Open Server application may crash due to a proper exploitation. Installing the fixed products prevents the risk of exploitation as the newest versions make a proper checking of the data packet before processing it. Fixed versions are: SAP Open Server 16.0 SP02 PL04, SAP ASE 16.0 SP02 PL04 and SAP Replication Server 15.7 SP304. CVSS v3 Base Score: 7.5 / 10.
- #2245398, Java deserialization Vulnerability in Adobe Interactive Forms: this note is only applicable if you are using ADS (Adobe Document Services) on NetWeaver 7.30, 7.31, 7.40 or 7.50, since it uses (and inherits its vulnerabilities) the open source software Apache Commons Collections library. Easily solved by installing the ADS Support Package (SP) respectively patch. CVSS v3 Base Score: 7.3 / 10.
The following box-plot graph illustrates the distribution of CVSS scores across the released Security Notes. The only notes taken into account were the ones which SAP set a CVSS score (9 out of the 36 SAP Security Notes). You can see on the left side the box-plot graph for the accumulated notes for 2016 (July not included):
As you can see, this is the highest and most outstanding CVSS score of 2016.
The following graph summarizes the types of vulnerabilities fixed this month. It is pretty clear that clickjacking was the most outstanding issue solved in July:
The Onapsis Research Labs are currently in the process of updating the Onapsis Security Platform to incorporate this latest research. This will allow you to check whether your systems are up to date with these latest SAP Security Notes, and ensures that those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis.