SAP HANA post exploitation vectors

This week the Onapsis Research Labs released an advisory for a server-side code injection vulnerability in SAP HANA integrated IDE. For more information about the SAP Note that fixes this issue, please refer to the Onapsis Research Labs advisory.

To define a reasonable exploitation scenario, we will assume the following conditions are met by our testing landscape:

  • There’s a vulnerable application running in our HANA instance.
  • The attacker has access to the vulnerable application.
  • The application is using a standard database user (created by default)

With this kind of vulnerability an attacker would able to inject arbitrary XSJS code that will run with the same privileges of the user running the application in the HANA server, this attack vector brings two powerful post exploitation primitives:

  1. Run arbitrary XSJS code.
  2. Perform an arbitrary SQL query.

By leveraging this vulnerability an attacker could execute SQL statements. For example he could execute something similar to:

var conn = $.db.getConnection();
var st = prepareStatement("SELECT * FROM USERS");

Continue reading

Share Button

Analyzing SAP Security Notes August 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about not only our client’s SAP systems security but the state of SAP security in general, so, to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this effort is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

37 Security Notes were published by SAP this month (29 Patch Day and 8 Support Package Notes).

 

The box-plot graph, located on the left side, illustrates the distribution of CVSS scores across the Security Notes released by SAP.
The CVSS Score median is near 6.0 with three notes exceeding the CVSS scoring of 8.0 (their values are 8.5, 8.7 and 8.8). Regardless of the criticality of each note, at Onapsis Research Laboratory we have analyzed the technical impact of all the published notes.

Hot News
The note 2044175 was released as hot news. This Security Note fixes certain authentication controls for APIs of the Afaria Server that don’t authenticate incoming devices properly.
Share Button

Analyzing SAP Security Notes June 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to  your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 21 SAP Security Notes were published by SAP (3 Support Packages and 18 Patch Day Notes). Of the ten notes reported by external researchers, Onapsis Research Labs reported six (from those notes, the 2001106 involved a remote unauthenticated Denial of Service which affects SAP Business Objects, and 2015446 a Code Injection vulnerability in SAP HANA Web Development Workbench, both discovered by Will Vandevanter). Continue reading

Share Button

Analyzing SAP Security Notes May 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 17 Security Notes were published by SAP (taking into account 1 Support Package Note and 16 Patch Day Notes). There were four notes reported by external researchers, Onapsis Research Labs reported 1 of the four notes (2009696) a XSS vulnerability in SAP HANA by Will Vandevanter.

Continue reading

Share Button

Assessing HANA Systems Against the SAP HANA Security Guide

SAP takes their responsibility to help their customers be secure seriously. They have released the SAP HANA Security Guide to help their customers deploy HANA in a secure way. SAP Security Guides are nothing new, they help define a minimum benchmark of a securely deployed SAP system.

For those tasked with assessing a SAP HANA (or ABAP) system and determining the complete risk the system represents to the business, they know that just performing a SoD check is not enough (and for those that don’t the list of security guides from SAP and this blog should help explain why). SAP states that “[these] security guides provide information that is relevant for all lifecycle phases”. When auditing or assessing these SAP systems, and HANA in particular a logical place to start is to compare the system against SAP’s own security recommendations and benchmarks for HANA.

The SAP HANA Security Guide provides those minimum security recommendations. At 102 pages, the guide provides a lot of detailed information about the SAP HANA solution, common deployment scenarios and an overview of the communication paths used within a SAP HANA deployment and how they should be secured. This is further broken out into the following areas:

  • SAP HANA User and Role Management
  • SAP HANA Authentication and Single-Sign On
  • SAP HANA Authorization
  • SAP HANA Data Storage Security
  • Auditing Activity in SAP HANA Systems
  • Security Risks of Trace and Dump Files
  • SAP HANA Additional Components
  • Security for SAP HANA Data Provisioning Technologies
  • Security Reference Information

Continue reading

Share Button

Analyzing SAP Security Notes April 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 23 Security Notes were published by SAP (taking into account the 5 Support Package Notes and the 18 Patch Day Notes). Onapsis Research Labs reported 4 of the 18  Patch Day Notes:CVSS distribution for the Security Notes released in April 2014

  • 1778940 by Nahuel D. Sánchez
  • 1974016 by Nahuel D. Sánchez
  • 1993349 by Will Vandevanter
  • 1929473 by Sergio Abraham

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.

Continue reading

Share Button

Analyzing SAP Security Notes March 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of  every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended
to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and
vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 9 Security Notes were published by SAP. Onapsis Research Labs reported 2 of the issues that have been addressed by SAP:

  • 1963932 by Sergio Abraham and Manuel Muradas
  • 1964428 by Sergio Abraham

Continue reading

Share Button

How Malware is evolving into the first step of attacks against SAP systems

When I talk to CISOs and other business leaders who are responsible for critical applications that rely on SAP a common question I get is how I would quantify the threat to their SAP systems. We talk about stories that have been shared with them by their colleagues, and the importance and value of following best practices. This morning I have been sharing with them an article showing some apparent reconnaissance activities being taken to discover deployed SAP systems.

The article describes a newly discovered Trojan that primarily targets gaining access to victims online banking accounts. What this malware does that is setting of alarm bells for everyone who is responsible for SAP systems is it analyses each machine the malware runs on to determine if that end user computer is used to communicate with SAP systems. This information is then passed back to the owners of the malware.

So what kind of information are we talking about? A PC with a SAP client installed will have configuration information for that client stored locally. This will contain at least the IP address of the SAP servers that the client connects to. If these clients are configured to login automatically those credentials are obtainable; if not then it is a simple matter to hook the application and capture the password the next time the user logs in.

Now, for those people who are itching to tell  me that they don’t care is an external attacker learns the IP address of their internal SAP systems because they cannot reach these systems I would refer you to this blog post; which debunks the myth of “internal” systems. I’d also point out the reason why the attacker is able to learn the IP addresses of your internal SAP systems if because they have taken control of an internal machine on your network already. Of course if you think I am wrong then you are gambling with the safety and soundness of your SAP systems; which is a high stakes game to play.

Continue reading

Share Button

SAP HANA Security: Do You Want a Basic or Secure Implementation?

Different software companies take different approaches to the security of their products after they have been sold to their customers. Some would prefer it if previously released software had no security research attention paid to it where as others take a more realistic and therefore positive (to their customers) attitude. This positive approach is not only to provide their customers with security guidance for each component but to also release vulnerability information to them along with patches or remediation information in a regular and predictable way that allows their customers to anticipate and plan for application of remediation.

SAP falls into the positive camp; as well as releasing vulnerability information for HANA and other SAP components on the second Tuesday of every month they also publish security guidance for best practices to securely install and maintain HANA deployments.

Now, you could try and argue that the ultimate best practice is for SAP to release completely perfect and secure code and products; and to not allow their customers to reconfigure it so it can run in an insecure manor. That and unicorn hamburgers would be fantastic; but I am not holding my breath for either to present itself to me any time soon…

Continue reading

Share Button