Oracle CPU – January 2015 Focus on Business Applications

As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus has been on SAP applications, we have also been actively researching, identifying and reporting critical vulnerabilities facing Oracle business applications. In this sense, Oracle is different from SAP, specifically in the way and timing that security patches are released and available to end users.

In this post, I will go through an analysis of Oracle’s January 2015 Critical Patch Update (aka CPU). The goal is to provide Oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help them to better understand and prioritize the testing for vulnerabilities on these systems within their organization.

In January 2015, Oracle published 169 vulnerabilities affecting 48 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.

An important aspect of this month’s CPU is the fact that more than 59% of these vulnerabilities are affecting business-critical applications. This means that companies have to be aware of these vulnerabilities and take immediate actions to mitigate the risks implied by them.
Continue reading

Share Button

SAP and GHOST vulnerability (CVE-2015-0235)

UPDATE (02-04-2015): It is important to note that all SAP HANA Appliances are shipped by default with Operating Systems containing vulnerable versions of the library, therefore the base OS of the appliances must be updated. One example of this is the SAP HANA One hosted in Amazon AWS, as this image is delivered with the vulnerable library.

Last week a new vulnerability was reported, affecting the GNU C library (glibc). This vulnerability affects a wide range of Linux distributions, among which are some supported by SAP products as stated in SAP Note 171356.

It’s important to understand that even though this vulnerability does not directly affect any SAP application, it affects a lower layer, the operating system, allowing any application to potentially use the vulnerable function.

The following list details the OS that were reported as vulnerable and are supported by SAP, therefore there could be SAP applications running on top of the following vulnerable operating systems
Continue reading

Share Button

SAP Security Note 2067859 Potential Exposure to Digital Signature Spoofing

OVERVIEW

This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.

To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:

  • SAPCRYPTOLIB version 5.555.38
  • CommonCryptoLib version 8.4.30

Furthermore:
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.

Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib

Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.

Continue reading

Share Button

Latest SAP Security Vulnerabilities – Including an SAP CVSS 10

In this post, I’ll cover some of the latest vulnerabilities reported to SAP by Onapsis and published last week.

Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!

These are the advisories for the published vulnerabilities, along with a small description of the real business impact of an exploitation of the vulnerabilities:

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

By exploiting this vulnerability, an attacker would be able to perform a sabotage attack over the service used to deploy and change software components in the SAP AS Java. This would prevent legitimate developers and administrators from performing and maintain required business and technical activities.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through the exploitation of vulnerabilities in their systems.

We think it is a very important set of vulnerabilities, as one of them is the first vulnerability ever ranked by SAP with a CVSSv2 risk 10! Actually, Onapsis also reported the second vulnerability ranked with a CVSSv2 10, and this advisory will be released next month.

We are going to be demonstrating some of these vulnerabilities live in our upcoming posts and presentations.

Share Button