Layer Seven Security

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.  

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.  

SAP Security Notes, May 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers.  The vulnerability carries a base CVSS score of 9.9/10 and can be exploited over the network.

Hot News Note 2885244 carries a similar CVSS score of 9.8/10 and can be exploited to bypass authentication using REST Webservices (BIPRWS) for Live Data Connect in the SAP Business Intelligence Platform. The fix packaged with the note enables Live Data Connect to logon to the BI Central Management Server (CMS) with a shared key. This prevents logons to the CMS without a password when using trusted authentication.  The fix is available for version 2.4 of Live Data Connect. Customers using earlier versions are advised to upgrade to version 2.4.

Notes 2917275 and 2917090 patch critical code injection and information disclosure vulnerabilities in the Backup Server and Cockpit of SAP Adaptive Server Enterprise (ASE), formerly Sybase ASE. ASE is a widely used database platform for SAP systems. Note 2917275 applies input validation checks for DUMP and LOAD commands to prevent the execution of malicious user-provided code.  Note 2917090 prevents the disclosure of sensitive system and user data including account credentials. The impacted ASE versions are 16.0 SP02 and SP03.

SAP Security Notes, April 2020

Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.

Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.

Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.

Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.

Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.   

SAP Security Notes, March 2020

Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a direct P4 connection. P4 is a proprietary SAP protocol based on Remote Method Invocation (RMI) and Common Object Request Broker Architecture (CORBA). Direct P4 connections between Solution Manager and Diagnostics Agents are not recommended by SAP for most scenarios.

The patch delivered in note 2845377 closes the P4 port and therefore prevents the ability to connect to the service. Leaving the port open could enable attackers to connect to the Agent and execute commands using the permissions of the <SID>adm user. It could also enable attackers to shut down the agent. This could interrupt monitoring in Solution Manager. However, the impact on security monitoring would be minimal since the Diagnostics Agent supports monitoring for AS Java and SAProuter log files only. Availability monitoring is performed using the SAP Host Agent. The Diagnostics Agent is used primarily for performance monitoring.

Hot News note 2890213 patches a missing authentication check in User-Experience Monitoring (UXMon). UXMon executes and analyzes the results of client-side scripts to monitor availability and performance metrics in endpoints. The note enables user authentication for the EemAdmin administration service.

Note 2806198 provides corrections for a critical directory traversal vulnerability in the SAP NetWeaver Universal Description Discovery and Integration (UDDI) Server. The UDDI Server is a Services Registry containing definitions for enterprise services and metadata references. It also provides information related to web service consumers and providers including physical systems.

SAP Security Notes, February 2020

Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.

Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.

SAP Security Notes, January 2020

Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.

Note 2142551 is re-released with updated correction instructions for implementing whitelists to protect against clickjacking attacks in AS ABAP. Standard protective measures against clickjacking, including the X-Frame-Options HTTP response header, are not suitable for common NetWeaver integration scenarios. Therefore, SAP provides a whitelist-based framework for NetWeaver technologies. The framework and its implementation are described in SAP Note 2319727.

Note 2848498 provides a kernel patch to remove a Denial of service (DOS) vulnerability in the Internet Communication Manager (ICM). Attackers can exploit the vulnerability to crash the ICM by sending specially crafted packets to the IIOP or P4 service that lead to a buffer overflow. The corrections in note 2848498 will support the detection and prevention of the buffer overflow.

SAP Security Notes, December 2019

Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or corrupt files in effected servers. Corrections are packaged in a transport included in the Note.

Note 2734675 provides automated and manual corrections for missing authorization checks in SAP Cash Management. The corrections introduce checks for vulnerable function modules including BAPI_FCLM_BAM_AMD_BNKANT and BAPI_HOUSE_BANK_REPLICATE. The function modules support replication of Bank Account Management (BAM) master data between SAP S/4HANA Finance systems.

Finally, Note 2730227 removes missing authorization checks in the historical data processing component of SAP Central Payments introduced in Note 2651431. SAP Central Payments is part of SAP Central Finance and supports centralized payments and clearing activities in central systems instead of source systems.

SAP Security Notes, November 2019

Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.

Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.

Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.

SAP Security Notes, October 2019

Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, the corrections in the note include manual instructions for removing confidential information from insecure locations such as logs and archives, and sensitive data exported from XML files.

Note 2826015 patches a critical missing authentication check in the AS2 Adapter of the B2B Add-On for SAP NetWeaver Process Integration. The Note provides support package patches for AS2 Adapter 1.0 and 2.0. SAP also recommends confirming the property named for the application named is set to its default value IAIK.

Note 2792430 addresses a high risk binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. The platforms use a file search algorithm that can result in the inadvertent access of files located in directories outside of the paths specified by users. The successful exploitation of binary planting vulnerabilities can lead to information disclosure, file corruption or deletion, privilege elevation and DLL hijacking.

SAP Security Notes, September 2019

Hot News Note 2798336 patches a critical code injection vulnerability in NetWeaver Application Server for Java (AS Java). A program error in the Web Container of AS Java could enable attackers to bypass input validation and execute dynamic content such as malicious code. The note includes updates for the J2EE Engine and API components.

Note 2823733 includes an important update for Hot News Note 2808158. The note provides greater coverage for possible attack scenarios targeting an OS Command Injection vulnerability in the SAP Diagnostics Agent.

Note 2817491 addresses high priority denial of service and information disclosure vulnerabilities in SAP HANA Extended Application Services (Advanced Model). Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or enumerate open internal network ports. The vulnerabilities have been fixed with SAP HANA Extended Application Services (Advanced model) version 1.0.118.