SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.
In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.
You will find a plot graph illustrating the distribution of CVSS scores across the Security Notes released in January. 26 out of the 34 SAP Security Notes have assigned CVSS. As you can see, the Security Notes have a wide range of scores, showing the variety of notes released by SAP. Understanding the impact of each note and determining the priority with which it should be scanned for and addressed requires a high effort, one that the Onapsis Research Labs takes on each month for our customers.
Missing authorization checks
Often some authorization objects are not checked while executing reports, RFC functions or transactions. Sometimes a specific check for the missing authorization object is delivered in the form of a correction instruction, a support package or by a new major version update.
Transactions affected this month: None.
Reports affected this month:/asu/asubox, FIOTP_KOFI_CALLBACK, LFBD0F13, BDLCOTOP, LSHL2TOP, LSHL2O15, LJ3RFGTDINTPAI, RSXMB_RESTART_MESSAGES.
RFC Functions and class methods affected this month: BKKE_BKKA_EVENT_FCODE, RSDRD_BUILD_REPORT_FOR_BATCH,
RSDU_TABLE_INDEX_CHECKER_HDB, RSDRI_DBA_TRFR_DATA, SXPG_PROFILE_PARAMETER_GET, several functions in function groups SPF1, SPFL, SPF2 and SPFC, several methods in class CL_SPFL_UTIL, DOCU_AUTHORITYLOAD, J_1BSPED_OUTPUT_INIT, SXMS_RESTART_MESSAGES.
Other components affected this month: Netweaver Business client, Solution Manager, SLM, ICM, Business Objects, MSON, ESR, XI_TOOLS, Enterprise Services Repository and Integration Builder Directory.
Other Attack Vectors
- Unauthenticated Cross Site Scripting in the Netweaver Business Client (the affected class was CL_NWBC_TEST HANDLE_TESTCANVAS)
- Cross Site Request Forgery, Path traversal and Information disclosure issues were fixed in SAP Portal Site Management
- Potential stored Cross Site Scripting in class FILTER_DOCUMENT_CONTENT
- ABAP code injection in RFC function RSDRD_BUILD_REPORT_FOR_BATCH
- Unauthenticated Cross Site Scripting in Business Objects
- Unauthenticated Cross Site Scripting in Web Admin Console of ICM and SAP Web Dispatcher
- Cross Site Request Forgery in MSON application
- Unauthenticated Cross Site Scripting in CA-WUI-UI-TAG
- Unauthenticated Cross Site Scripting in ESR application
- Cross Site Scripting in XI_TOOLS
- SQL injection vulnerability reported in RFC function RSDU_TABLE_INDEX_CHECKER_HDB. (CORRECTION – Jan 21st: This RFC was misplaced into the Missing Authorization Check section on the original post)
Information disclosure issues were fixed in:
- Solution Manager
- SOLMAN Diagnostics
- Integration Builder Directory
- Enterprise Services Repository
Each month Onapsis updates our flagship product Onapsis X1 to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as configured with an appropriate level of security.
Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.