Analyzing SAP Security Notes December 2013 Edition

CVSS Distribution

CVSS distribution - SAP Security Notes December 2013

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

To date this is been a service we have carried out quietly on behalf of our customers. However due to wider requests for better understanding regarding the information being published by SAP this will be the first in a monthly series of posts that summarize and explain the analysis we performed in order to promptly update our products with the latest security checks.

In December we analyzed a total of 35 SAP Security Notes. Notes 1926485, 1913554 and 1911523 were reported by Sergio Abraham, from Onapsis Research Labs.
Continue reading

Share Button

Unprotected SAP Gateways – Evil-Twin and Code Execution Attacks through Registered RFC Servers

In the last posts we have already presented a variety of approaches for SAP security assessment. Today we will address a more complex path an attacker might follow. In order to understand what is going on we must first dive deeper in some SAP concepts and components.

The SAP Gateway is a component present in every SAP Instance. As we discussed in a previous post It is responsible for managing RFC connections between the SAP Instance where it is running and other instances or with external servers (such as government regulation agencies, payment processors, SWIFT connectors, etc.). All RFC calls go through the SAP Gateway.

In order to receive connections and potentially communicate with an SAP Instance, an external server must register itself with the SAP Gateway (becoming what we will call an external registered server). Once registered, communication between the SAP instance and the external server will flow smoothly over the SAP RFC protocol.

Continue reading

Share Button

Assessing the security of SAP ecosystems: Access from the SAP Application Layer to the Database

In previous posts we performed security assessments on the Management Console.

For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion. Notice that you will have to download the Instant Client Package – Basic, and then download the Instant Client Package – SQL*Plus.

This way of performing arbitrary queries only works for SAP implementations with Oracle databases (which is the most common configuration in SAP Systems). As seen in a previous post, our sample SAP ecosystem has an Oracle database so we can perform this assessment. If there is an SAP system running on an Oracle database, an eventual attacker is most likely to succeed since it’s based on a default and mandatory trust relationship between the SAP System and the Oracle database.

Continue reading

Share Button

Latest SAP Security Vulnerabilities – Including an SAP CVSS 10

In this post, I’ll cover some of the latest vulnerabilities reported to SAP by Onapsis and published last week.

Last week we released advisories regarding several vulnerabilities affecting SAP platforms. Some of these vulnerabilities are in fact very critical, and their exploitation could lead to a full-compromise of the entire SAP implementation – even by completely anonymous attackers. Following our responsible disclosure policy, SAP released the relevant SAP Security Notes (patches) for all these vulnerabilities a long time ago, so if you are an SAP customer make sure you have properly implemented them!

These are the advisories for the published vulnerabilities, along with a small description of the real business impact of an exploitation of the vulnerabilities:

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

By exploiting this vulnerability, an attacker would be able to perform a sabotage attack over the service used to deploy and change software components in the SAP AS Java. This would prevent legitimate developers and administrators from performing and maintain required business and technical activities.

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization’s users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through the exploitation of vulnerabilities in their systems.

We think it is a very important set of vulnerabilities, as one of them is the first vulnerability ever ranked by SAP with a CVSSv2 risk 10! Actually, Onapsis also reported the second vulnerability ranked with a CVSSv2 10, and this advisory will be released next month.

We are going to be demonstrating some of these vulnerabilities live in our upcoming posts and presentations.

Share Button