SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.
To date this is been a service we have carried out quietly on behalf of our customers. However due to wider requests for better understanding regarding the information being published by SAP this will be the first in a monthly series of posts that summarize and explain the analysis we performed in order to promptly update our products with the latest security checks.
In December we analyzed a total of 35 SAP Security Notes. Notes 1926485, 1913554 and 1911523 were reported by Sergio Abraham, from Onapsis Research Labs.
You will find a plot graph illustrating the distribution of CVSS scores across the Security Notes released in December. As you can see, the Security Notes have a wide range of scores, showing the variety of notes released by SAP. Understanding the impact of each note and determining the priority with which it should be scanned for and addressed when found is a high effort task, one the Onapsis Research Labs takes on each month for our customers.
Missing authorization checks
Often some authorization objects are not checked while executing reports, RFC functions or transactions. Sometimes a specific check for the missing authorization object is delivered in the form of a correction instruction, a support package or by a new major version update.
Transactions affected this month: SE92.
Reports affected this month: SATRA_START, reports related to LFKP6FI0, LFKP6FL0, LFKP6TOP.
RFC Functions affected this month: PERFORMANCE_TRACE_GET, PERFORMANCE_TRACE_OFF, PERFORMANCE_TRACE_ON, PERFORMANCE_TRACE_SUMMARY, FI_AUTH_CHECK_RFC, FI_DOCUMENT_PROJECT, FI_DOCUMENT_REVERSE, CNM2_MAT_MRP_RUN, /SAPAPO/LRP_SEND_QGWFORMAT_RFC, CL_BPS_SUPPLIER001QR_IMPL_EXECUTE, UDM_GOS_SEND_AND_LINK_MAIL.
Other components affected this month:
SAP JAVA AS telnet command, EA-FINSERV component, CRM-ISA-BBS component, EHSM component and SAP Sybase ASE.
Other Attack Vectors
- Directory Traversal issues in RFC functions ARCHIVFILE_CLIENT_TO_SERVER, ARCHIVFILE_SERVER_TO_CLIENT.
- Cross Site Scripting vulnerabilities were fixed in BO-WEBAPP component and in Business One function builder.
- Cross-Site Request forgery in XLPO component
- RFC function KFM_SUBMIT_KF_REPORT_REMOTE_SY was fixed
Information disclosure issues were fixed in:
- EHSM component
- SAP Portal
- System Landscape Directory ABAP Connectivity (RFC: SLDAG_CHECK_FILE_EXISTENCE)
Finally, an XML-injection-based DoS was fixed in BBPCRM CL_CRM_XML_GW_SYNC CONVERT_XML2DOM class method.
Each months updates in Onapsis X1 will allow you to check whether your systems are up-to-date with the latest SAP Security Notes as well as configured with an appropriate level of security.
Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.