This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.
To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:
- SAPCRYPTOLIB version 5.555.38
- CommonCryptoLib version 8.4.30
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.
Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib
Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.
CVSS distribution - SAP Security Notes December 2013
SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.
To date this is been a service we have carried out quietly on behalf of our customers. However due to wider requests for better understanding regarding the information being published by SAP this will be the first in a monthly series of posts that summarize and explain the analysis we performed in order to promptly update our products with the latest security checks.
In December we analyzed a total of 35 SAP Security Notes. Notes 1926485, 1913554 and 1911523 were reported by Sergio Abraham, from Onapsis Research Labs.
In the last posts we have already presented a variety of approaches for SAP security assessment. Today we will address a more complex path an attacker might follow. In order to understand what is going on we must first dive deeper in some SAP concepts and components.
The SAP Gateway is a component present in every SAP Instance. As we discussed in a previous post It is responsible for managing RFC connections between the SAP Instance where it is running and other instances or with external servers (such as government regulation agencies, payment processors, SWIFT connectors, etc.). All RFC calls go through the SAP Gateway.
In order to receive connections and potentially communicate with an SAP Instance, an external server must register itself with the SAP Gateway (becoming what we will call an external registered server). Once registered, communication between the SAP instance and the external server will flow smoothly over the SAP RFC protocol.
The SAP Management Console (SAP MC) is the centralized system management component. It allows you to monitor and control each SAP instance, display log and trace files, profiles and other parameters. You can also monitor system alerts and deep information about memory usage and processes in the system (e.g. Java VM® garbage collection and heap memory).
In this post, we will be running bizploit modules, if you are not familiar with the bizploit framework, consider reading this introductory post.
MC Assessment #1: Getting Password Policies
As seen in the figure below it is possible to run the
mcParameterValue exploit in order to retrieve all profile parameters. Keep in mind that, to figure out the vulnerability id, you should list all the exploits under the exploit option and check the Exploitable Vulnerabilities column for the
mcParameterValue row. We’ll use this module in order to discover the SAP password policies being used.
Getting all profile parameters with Bizploit.
In order to look for the Password Policy parameters among the 1600 profile parameters we need to find those starting with
login/. We open the file saved by Bizploit and the parameters can be found there. Below we list some of the retrieved Password Policy parameters: