Analyzing SAP Security Notes April 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 15 SAP Security notes published by SAP AG (taking into account 6 Support Packages and 9 Patch Day Notes). There were just three external security researchers mentioned this month. Two of them, Nahuel Sánchez and Fernando Russ, are from the Onapsis Research Labs. Together, they work with the rest of the Research team and SAP AG to help make SAP software more secure.

The plot graph illustrates the distribution of CVSS scores across the released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (5 out of the 15 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 3.6 to 5.8 with a median of 4.3.

Continue reading

Share Button

The Evolving SAP Cyber-Security Landscape

Stephen Higgins, Senior Vice President of Customer Experience, Services and Solutions at Onapsis

$1.3 billion lost an hour!  This is what one of our global customer’s estimates is the impact to their business if their SAP systems become compromised and operations are disrupted.  The cost of an SAP breach can be inconceivable. And yet, it may be one of the most under scrutinized areas in IT security from a business continuity perspective.  Everyday our services team sees the real-world impact of breaches to organization’s SAP systems. This in mind, our consensus is that it is imperative to not only be able to detect a potential attack, but to have a response plan in place in case an attack still occurs. Responding quickly is where many organizations reach out to Onapsis for expert advice.

What we see is that there is a tendency amongst organizations to think that once a year is enough to perform a security assessment of SAP systems. More often than not, it’s assumed that Segregation of Duties and/or basic perimeter defenses are enough to protect systems from intrusion, and that penetration tests are only a necessary evil – for when internal auditors are requesting an update. However, with the “Bad Guys” getting more intelligent about business-critical systems, their ability to exploit these systems is becoming more and more advanced.

If you’ve taken a look at major headlines recently, you’ve likely noticed the staggering number of corporations who’ve suffered large-scale data breaches. Many of these breaches were targeted at SAP and other business-critical applications.  The impact of these breaches could have been minimized and potentially avoided had there been proper security measures in place for continuously monitoring their business-critical applications. As attacks of this nature will continue to evolve in complexity, it is absolutely imperative to have a preventative, systematic approach to SAP security in place in order to help your organization avoid interruptions to its business and incur huge financial liabilities.

Continue reading

Share Button

Analyzing SAP Security Notes March 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at minimum.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Since the last SAP Security Tuesday and today, there were 21 SAP Security notes published by SAP (taking into account 3 Support Packages and 18 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2122391 (by Sergio Abraham).

The plot graph illustrates the distribution of CVSS scores across released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (16 out of the 21 SAP Security Notes). As represented in the graph, the SAP Security Notes value ranges from 3.5 to 6.8 with a median of 5.0. Continue reading

Share Button

Analyzing SAP Security Notes February 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to SAP implementation to better suit the business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at the very least.

At Onapsis, we are very concerned about our client’s SAP system security and the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide their testing of these systems within their organization.

On this Patch Day (second Tuesday of each month) SAP published 16 Security Notes (taking into account 2 Support Packages and 14 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2109818 discovered by security researchers Nahuel D. Sánchez and Fernando Russ.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account were the ones for which SAP set a CVSS (12 out of the 16 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 3.5 to 7.5 with a median of 5.25.

Continue reading

Share Button

Analyzing SAP Security Notes January 2015 Edition

NEW NOTE (January 21, 2015): Note 2120370 has been released after the official SAP post of January 12nd. The note extends the security note 2001109, covering further affected releases (BI 4.1 SP04 & BI 3.1 Patch 6.5).
UPDATE (January 19, 2015): Note 1951171 has been rereleased translated into English, since it was originally published in German.
NEW NOTE (January 14, 2015): Note 1964201 has been released after the official SAP post of January 12nd. The note fixes a directory traversal in INTRASTAT module.

SAP is a complex and ever changing system, whether because of changes introduced to SAP implementation to better suit the business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at the very least.

At Onapsis we are very concerned about our client’s SAP system security and the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide their testing of these systems within their organization.

Box-Plot image - January 2015Between the last SAP Security Tuesday and the notes published in January, there were 19 SAP Security notes (taking into account 7 Support Packages and 12 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2109565 by researchers Sergio Abraham, Nahuel D. Sánchez and Fernando Russ.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account were the ones for which SAP set a CVSS (6 out of the 19 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 4.9 to 8.5 with a median of 6.0.

Continue reading

Share Button

Analyzing SAP Security Notes December 2014 Edition

High-profile risk threats identified by Onapsis Research Labs experts reveals that unauthorized users could access business-critical applications leveraging SAP BusinessObjects

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 28 SAP Security notes published by SAP (taking into account 3 Support Packages and 25 Patch Day Notes).

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in December. The only notes taken into account to build it, were the ones to which SAP set a CVSS (14 out of the 28 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 1.5 to 7.5 with a median of 3.9.

Continue reading

Share Button

Analyzing SAP Security Notes November 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

box-plot-November-2014This month, SAP published an unusually quantity of SAP Security Notes: 86 Security Notes (taking into account 65 Support Packages and 21 Patch Day Notes). It was mostly due to a new feature which enhance the security management of RFC Functions and fixes to missing authority check vulnerabilities.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in November. The only notes taken into account to make it, where the ones to which SAP set a CVSS (14 out of the 86 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 3.5 to 10.0 with a median of 6.

Continue reading

Share Button

Analyzing SAP Security Notes October 2014 Edition

UPDATE (November 4, 2014): Note 2043404 has been rereleased with an updated priority. The priority was increased from medium to very high. The new CVSS for this Note is 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

SAP is a complex and ever-changing system. Between changes introduced to SAP implementation to improve your business, and the application of Security Notes (Patches) to ensure mitigation of newly disclosed vulnerabilities, SAP is constantly evolving.

In order to provide a scheduled flow of vulnerability mitigation information and security patches, SAP releases the majority of new Security Notes on the second Tuesday of each month. Due to this regular disclosure of security alerts warning against potentially harmful issues, it is highly recommended to carry out periodic assessments on a monthly basis (at minimum) to ensure that existing security on your SAP systems does not become weakened.

At Onapsis, we’re very concerned about our client’s SAP system security, as well as the state of SAP security in general. In order to best assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with comprehensive information about the newly released notes and vulnerabilities affecting SAP systems, and to help guide testing of these systems within their organization.

This month 34 SAP Security Notes were published by SAP (taking into account 11 Support Packages and 23 Patch Day Notes). Additionally, there were changes on how SAP communicates vulnerabilities reported by external security researchers, as it previously wasn’t clear which were externally reported.

Five of the vulnerabilities fixed this month were discovered by members of the Onapsis Research Labs:

Here you have a plot graph illustrating the distribution of CVSS scores of the Security Notes released in October. The only notes taken into account where the ones for which SAP set a CVSS (19 out of the 34 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 4.3 to 7.5 with a median of 6.4. Continue reading

Share Button

Analyzing SAP Security Notes September 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month, 29 SAP Security Notes were published by SAP (taking into account 3 Support Packages and 26 Patch Day Notes). There were ten notes reported by external researchers, of the ten Onapsis Research Labs reported two of them.

  • 2039905 by Juan Pablo Perez Etchegoyen and Will Vandevanter
  • 1979454 by Pablo Muller

Here you have a plot graph illustrating the distribution of CVSS scores across the Security Notes released in September. The only notes taken into account were the ones for which SAP calculated a CVSS score (19 out of the 29 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month had a range of values from 2.1 to 6.5 with a median of 5.0.

Continue reading

Share Button

Leveraging the Security Audit Log (SAL)

Hi! Today I was reviewing some events generated for the Security Audit Log and noticed an interesting behavior.

For those who are not familiar with it, the Security Audit Log (SAL) allows SAP security administrators to keep track (via a log) of the activities performed in their SAP systems. In a future post we will discuss how to enable and configure this logging.

By default the SAL facility logs the “Terminal Name” which is either the Terminal Name (defined by the computer which performed the logged action) or the IP address of the computer that is the source of events. The IP address is only logged if the source computer does not transmit a Terminal Name with its communications.

This behavior can be abused by an attacker since filling the terminal name value in an RFC call is a task performed by the caller (the user’s machine). Having the ability to manipulate the “Terminal Name” means the attacker could try different attacks such as bruteforce attempts but have each transaction appear to come from a different terminal. Taken even further; the attacker could set an IP address (or cycle through a set of IP addresses) as the Terminal Name; meaning each request would appear to have originated from these IP addresses (as in the logs it is not possible to distinguish between an IP address that has been logged because no Terminal Name value was transmitted vs an IP addressed that has been logged as the Terminal Name).

Continue reading

Share Button