Analyzing SAP Security Notes March 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of  every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended
to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and
vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 9 Security Notes were published by SAP. Onapsis Research Labs reported 2 of the issues that have been addressed by SAP:

    • 1963932 by Sergio Abraham and Manuel Muradas
    • 1964428 by Sergio Abraham

Distribution of CVSS scores across the Security Notes released in March.

 

Even though there were only few Security Notes published by SAP this month; it is still important to determine which of these notes affect your SAP systems and critical business data and process, either manually or by using Onapsis X1.

Regardless of how critical each note is, Onapsis Research Labs has analyzed the technical details of each note and we want to share some conclusions with you.

SAP Security Notes with higher CVSS

The most critical SAP Security Note to apply this month is 1965610; with a CVSS score of 7.5 (AV:N/AC:M/AU:S/C:P/I:P/A:C). This note prevents a remote authenticated attacker from injecting operating system commands; thus being able to interact with the underlying operating system supporting SAP.

The SAP Security note 1966056, also fixes a code injection vulnerability, but in this case through a vulnerable ABAP Report. SAP didn’t provide a CVSS score for this note.

SAP HANA Vulnerabilities

SAP HANA, short for “High-Performance Analytic Appliance” is an in-memory, column-oriented, high-performance relational database management system developed by SAP AG. This month, SAP released 2 security notes based on vulnerability reports submitted by Onapsis (which are the first SAP HANA vulnerabilities reported to SAP by an external organization):

  • SAP Security note 1963932 fixed missing encryption in a form based authentication
  • SAP Security Note 1964428 fixed an authentication bypass vulnerability in public XS applications

Notes about Missing authorization check

SAP Security notes 1963564, 1966896 and 1971238.

A missing authorization check means that an RFC function, ABAP Report, or any SAP  program is missing a validation in an authorization object or is not properly checking for permissions. These types of vulnerabilities are one of the main causes of unwanted information disclosure. In order to prevent this from happening, it’s highly recommended to apply them.

Example of an affected ABAP Report is: LFBK0F21.
Examples of affected RFC functions are: RSEC_CLEAN_LOG,
RSEC_USER_INTERFACE.

Other notes

  • 1946420 – Potential false redirection of Web site content in SAP’s Supplier Relationship Management product
  • 1884678 – Potential directory traversals in SAP’s Business Process Change Analyzer product

 

The analysis of the notes was performed by Nahuel Sánchez and Emiliano Fausto.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>