Layer Seven Security

SAP Security Notes, April 2017

Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous commands including OS commands using the administrative privileges of the <SID>ADM user. As a result, SAP recommends running TREX in an isolated subnet. Detailed instructions are documented in the TREX Installation Guide. However, the corrections included in Note 2419592 block access to the TREXNet interface from outside the TREX landscape. Therefore, it protects unsegmented systems against malicious commands targeting the protocol. TREX versions 7.10 and 7.25 must be upgraded to revisions 74 and 37 respectively to apply the corrections.

Note 2235515 includes an important update for SNOTE to log information related to the RFC destination used to download notes. SNOTE can be abused to download malicious packages from attacker controlled servers if the default RFC destination is changed. SNOTE executes program SCWN_NOTE_DOWNLOAD during runtime. The program will use an alternative RFC destination maintained in table CWBRFCUSR if a destination is defined in the table.  For more information refer to Note 2235514.

Notes 2410082, 2372301, 2400292 and 2387249 deal with weaknesses in XML input validation that expose several ABAP and Java applications to XML External Entity (XXE) attacks. The impact of successful XXE exploits include sensitive information disclosure and denial of service.

Finally, Note 2407616 provides an update for saprules.xml to secure against a high-risk vulnerability that could enable attackers to execute remote commands against SAP GUI. saprules.xml is used by the SAP GUI Security Module to protect clients against  potentially malicious commands from back-end SAP servers.

SAP Security Notes, March 2017

Note 2424173 deals with vulnerabilities in SAP HANA that were the subject of media attention in March. This includes coverage from the television news channel MSNBC. The vulnerabilities impact areas such as User Self Service Tools that support account-related tasks including password resets and self-registration through a web interface.

The Note carries a CVSS of 9.8/10. The exploit range and impact are high. The attack complexity is low and no specific privileges are required to execute the related exploits.

Attacks that exploit the vulnerable areas of user self-service appear to target the SYSTEM user in SAP HANA. The SYSTEM user is a powerful default user that should be deactivated after the initial install of the database. Any compromise of the SYSTEM user can lead to anonymous and privileged access to SAP HANA, leading to the complete compromise of the platform and data stored or processed by HANA.

User self-service tools are disabled in the default configuration of SAP HANA. Activation requires the creation of a technical user, configuring SMTP services and maintaining relevant parameters in the xsengine.ini file.

User self-service parameters and the status of the SYSTEM user can be monitored using SAP Solution Manager. The latter includes successful and unsuccessful logon attempts. Automatic alerts can be enabled for vulnerable settings and any action performed by the SYSTEM user.

Other critical corrections include Note 2319506 which removes a blind SQL injection vulnerability in Database Monitors for Oracle. The exploit addressed by the Note targets vulnerable input parameters in the function modules STUO_GET_ORA_ SYS_TABLE and STUO_GET_ORA_SYS_ TABLE_2 used to read or modify system tables.

Notes 2381388 and 2378999 remove missing authorization checks in the stock transfer process of Materials Management, a widely-deployed module of SAP ERP.

Finally, Note 2429069 addresses a session fixation vulnerability in SAP HANA 2.0 that enables attackers to decipher the session IDs of concurrent users.

SAP Security Notes, February 2017

Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks.

The DDoS vulnerability stems from the system messages area of the DOE. This is used to transmit messages to mobile clients. Attackers can provoke a denial of service in the DOE by flooding the system messages service and exhausting available resources.

Note 2407694 addresses a similar denial of service vulnerability in the SAP Web IDE for SAP HANA. Web IDE is a development tool for building and deploying Fiori and other applications. The sinopia registry in the Web IDE crashes during publication if a package name contains special characters. Exploitation of the vulnerability can be prevented by blocking the registry from registering new users. The Note includes instructions for identifying systems that have been successfully attacked using the vulnerability. It also included details of a workaround to block attempted new user registrations by modifying permissions for the htpasswd file.

Note 2392860 removes the transaction code ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_RM_PRO_REVIEWER. The transaction can be used to escalate privileges by creating other custom transactions.

Note 2413716 provides instructions for securing the trusted RFC connection for GRC Access Controls Emergency Access Management (EAM). The trusted connection is required to switch user accounts to Fire Fighter IDs (FFIDs).

The instructions include maintaining the authorization objects S_RFCACL and S_ICF, deactivating passwords for FFIDs, and controlling critical basis authorizations for managing trust relationships and RFC destinations.


SAP Security Notes, January 2017

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server.

The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third party software is bundled in products provided not only by Sybase, but vendors such as Intel, Cisco, HP, Adobe, RSA and Siemens.

Flexnet Publisher is vulnerable to a stack buffer overflow vulnerability that could enable attackers to execute arbitrary code remotely and without authentication. Since the code could provoke a crash in the Vendor Daemon which performs license control in software products, it could lead to a denial of service in SySAM and products that rely on SySAM. This explains the extremely high CVSS score of the vulnerability.

According to Flexera, a patch for the vulnerability was made available to vendors in November 2015. It is not clear if this included SAP. The vulnerability was published in the NIST National Vulnerability Database (NVD) shortly thereafter in February 2016.  Despite the criticality of the vulnerability, a correction for SySAM was only made available in January 2017. Customers are advised to download and install SySAM 2.4 to apply the correction.

Note 2389042 deals with a similar denial of service vulnerability in SAP Single Sign-On (SSO) which could interrupt the availability of SAP services for users. The SSO Authentication Library should be patched to the latest patch level specified in the Note.

Note 2407696 removes support for the DES encryption algorithm used to secure configuration data in SAP Online Banking 8.3. SAP recommends using stronger algorithms supported by Online Banking including AES and 3DES. Note that AES is more efficient in software implementations than 3DES since 3DES was designed for hardware implementations.