Analyzing SAP Security Notes December 2014 Edition

High-profile risk threats identified by Onapsis Research Labs experts reveals that unauthorized users could access business-critical applications leveraging SAP BusinessObjects

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 28 SAP Security notes published by SAP (taking into account 3 Support Packages and 25 Patch Day Notes).

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in December. The only notes taken into account to build it, were the ones to which SAP set a CVSS (14 out of the 28 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 1.5 to 7.5 with a median of 3.9.

Continue reading

Share Button

Analyzing SAP Security Notes November 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

box-plot-November-2014This month, SAP published an unusually quantity of SAP Security Notes: 86 Security Notes (taking into account 65 Support Packages and 21 Patch Day Notes). It was mostly due to a new feature which enhance the security management of RFC Functions and fixes to missing authority check vulnerabilities.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in November. The only notes taken into account to make it, where the ones to which SAP set a CVSS (14 out of the 86 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 3.5 to 10.0 with a median of 6.

Continue reading

Share Button

Analyzing SAP Security Notes October 2014 Edition

UPDATE (November 4, 2014): Note 2043404 has been rereleased with an updated priority. The priority was increased from medium to very high. The new CVSS for this Note is 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

SAP is a complex and ever-changing system. Between changes introduced to SAP implementation to improve your business, and the application of Security Notes (Patches) to ensure mitigation of newly disclosed vulnerabilities, SAP is constantly evolving.

In order to provide a scheduled flow of vulnerability mitigation information and security patches, SAP releases the majority of new Security Notes on the second Tuesday of each month. Due to this regular disclosure of security alerts warning against potentially harmful issues, it is highly recommended to carry out periodic assessments on a monthly basis (at minimum) to ensure that existing security on your SAP systems does not become weakened.

At Onapsis, we’re very concerned about our client’s SAP system security, as well as the state of SAP security in general. In order to best assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with comprehensive information about the newly released notes and vulnerabilities affecting SAP systems, and to help guide testing of these systems within their organization.

This month 34 SAP Security Notes were published by SAP (taking into account 11 Support Packages and 23 Patch Day Notes). Additionally, there were changes on how SAP communicates vulnerabilities reported by external security researchers, as it previously wasn’t clear which were externally reported.

Five of the vulnerabilities fixed this month were discovered by members of the Onapsis Research Labs:

Here you have a plot graph illustrating the distribution of CVSS scores of the Security Notes released in October. The only notes taken into account where the ones for which SAP set a CVSS (19 out of the 34 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 4.3 to 7.5 with a median of 6.4. Continue reading

Share Button

Analyzing SAP Security Notes September 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month, 29 SAP Security Notes were published by SAP (taking into account 3 Support Packages and 26 Patch Day Notes). There were ten notes reported by external researchers, of the ten Onapsis Research Labs reported two of them.

  • 2039905 by Juan Pablo Perez Etchegoyen and Will Vandevanter
  • 1979454 by Pablo Muller

Here you have a plot graph illustrating the distribution of CVSS scores across the Security Notes released in September. The only notes taken into account were the ones for which SAP calculated a CVSS score (19 out of the 29 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month had a range of values from 2.1 to 6.5 with a median of 5.0.

Continue reading

Share Button

Analyzing SAP Security Notes August 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about not only our client’s SAP systems security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

37 Security Notes were published by SAP this month (29 Patch Day and 8 Support Package Notes).

 

The box-plot graph, located on the left side, illustrates the distribution of CVSS scores across the Security Notes released by SAP.
The CVSS Score median is near 6.0 with three notes exceeding the CVSS scoring of 8.0 (their values are 8.5, 8.7 and 8.8). Regardless of the criticality of each note, at Onapsis Research Laboratory we have analyzed the technical impact of all the published notes.

Hot News
The note 2044175 was released as hot news. This Security Note fixes certain authentication controls for APIs of the Afaria Server that don’t authenticate incoming devices properly.
Share Button

Analyzing SAP Security Notes June 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to  your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 21 SAP Security Notes were published by SAP (3 Support Packages and 18 Patch Day Notes). Of the ten notes reported by external researchers, Onapsis Research Labs reported six (from those notes, the 2001106 involved a remote unauthenticated Denial of Service which affects SAP Business Objects, and 2015446 a Code Injection vulnerability in SAP HANA Web Development Workbench, both discovered by Will Vandevanter). Continue reading

Share Button

Analyzing SAP Security Notes May 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 17 Security Notes were published by SAP (taking into account 1 Support Package Note and 16 Patch Day Notes). There were four notes reported by external researchers, Onapsis Research Labs reported 1 of the four notes (2009696) a XSS vulnerability in SAP HANA by Will Vandevanter.

Continue reading

Share Button

Assessing HANA Systems Against the SAP HANA Security Guide

SAP takes their responsibility to help their customers be secure seriously. They have released the SAP HANA Security Guide to help their customers deploy HANA in a secure way. SAP Security Guides are nothing new, they help define a minimum benchmark of a securely deployed SAP system.

For those tasked with assessing a SAP HANA (or ABAP) system and determining the complete risk the system represents to the business, they know that just performing a SoD check is not enough (and for those that don’t the list of security guides from SAP and this blog should help explain why). SAP states that “[these] security guides provide information that is relevant for all lifecycle phases”. When auditing or assessing these SAP systems, and HANA in particular a logical place to start is to compare the system against SAP’s own security recommendations and benchmarks for HANA.

The SAP HANA Security Guide provides those minimum security recommendations. At 102 pages, the guide provides a lot of detailed information about the SAP HANA solution, common deployment scenarios and an overview of the communication paths used within a SAP HANA deployment and how they should be secured. This is further broken out into the following areas:

  • SAP HANA User and Role Management
  • SAP HANA Authentication and Single-Sign On
  • SAP HANA Authorization
  • SAP HANA Data Storage Security
  • Auditing Activity in SAP HANA Systems
  • Security Risks of Trace and Dump Files
  • SAP HANA Additional Components
  • Security for SAP HANA Data Provisioning Technologies
  • Security Reference Information

Continue reading

Share Button

Implementing Layered Security for SAP

Since the Sarbanes-Oxley (SOX) Act passed in 2002, an organizations’ emphasis on their internal controls and risk management has increased significantly. United States Federal Law set new standards for all publicly traded US company’s boards, management and for public accounting firms. As a result of SOX, top management of these companies must individually certify the accuracy of their reported financial information.

Different software has been developed in order to meet these new requirements. One of the most famous is the module designed by SAP, known as SAP GRC Access Control. The driving idea behind this Security module is to ensure segregation of duties (SoD), by defining an SoD Matrix and allowing risk analysis reports to be periodically generated. It also helps organizations detect if they have Super User accounts in Production Systems, a finding usually flagged during any traditional audit as this violation implies there is no controlled environment for the use of emergency users. The SAP GRC Access Control module ties into workflows for creating new users or modifying existing users, allowing the workflow to interact with the SoD Matrix and alerting administrators if they are granting accesses that would represent an SoD conflict as they grant that access. Finally, the design and configuration of users’ roles can be broken out into several approval steps. This means that risk analysis can also be made at the role level.

Continue reading

Share Button

Analyzing SAP Security Notes April 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 23 Security Notes were published by SAP (taking into account the 5 Support Package Notes and the 18 Patch Day Notes). Onapsis Research Labs reported 4 of the 18  Patch Day Notes:CVSS distribution for the Security Notes released in April 2014

  • 1778940 by Nahuel D. Sánchez
  • 1974016 by Nahuel D. Sánchez
  • 1993349 by Will Vandevanter
  • 1929473 by Sergio Abraham

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.

Continue reading

Share Button