Layer Seven Security

SAP Security Notes, February 2020

Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.

Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.

SAP Security Notes, January 2020

Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.

Note 2142551 is re-released with updated correction instructions for implementing whitelists to protect against clickjacking attacks in AS ABAP. Standard protective measures against clickjacking, including the X-Frame-Options HTTP response header, are not suitable for common NetWeaver integration scenarios. Therefore, SAP provides a whitelist-based framework for NetWeaver technologies. The framework and its implementation are described in SAP Note 2319727.

Note 2848498 provides a kernel patch to remove a Denial of service (DOS) vulnerability in the Internet Communication Manager (ICM). Attackers can exploit the vulnerability to crash the ICM by sending specially crafted packets to the IIOP or P4 service that lead to a buffer overflow. The corrections in note 2848498 will support the detection and prevention of the buffer overflow.

SAP Security Notes, December 2019

Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or corrupt files in effected servers. Corrections are packaged in a transport included in the Note.

Note 2734675 provides automated and manual corrections for missing authorization checks in SAP Cash Management. The corrections introduce checks for vulnerable function modules including BAPI_FCLM_BAM_AMD_BNKANT and BAPI_HOUSE_BANK_REPLICATE. The function modules support replication of Bank Account Management (BAM) master data between SAP S/4HANA Finance systems.

Finally, Note 2730227 removes missing authorization checks in the historical data processing component of SAP Central Payments introduced in Note 2651431. SAP Central Payments is part of SAP Central Finance and supports centralized payments and clearing activities in central systems instead of source systems.

SAP Security Notes, November 2019

Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.

Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.

Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.

SAP Security Notes, October 2019

Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, the corrections in the note include manual instructions for removing confidential information from insecure locations such as logs and archives, and sensitive data exported from XML files.

Note 2826015 patches a critical missing authentication check in the AS2 Adapter of the B2B Add-On for SAP NetWeaver Process Integration. The Note provides support package patches for AS2 Adapter 1.0 and 2.0. SAP also recommends confirming the property named for the application named is set to its default value IAIK.

Note 2792430 addresses a high risk binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. The platforms use a file search algorithm that can result in the inadvertent access of files located in directories outside of the paths specified by users. The successful exploitation of binary planting vulnerabilities can lead to information disclosure, file corruption or deletion, privilege elevation and DLL hijacking.

SAP Security Notes, September 2019

Hot News Note 2798336 patches a critical code injection vulnerability in NetWeaver Application Server for Java (AS Java). A program error in the Web Container of AS Java could enable attackers to bypass input validation and execute dynamic content such as malicious code. The note includes updates for the J2EE Engine and API components.

Note 2823733 includes an important update for Hot News Note 2808158. The note provides greater coverage for possible attack scenarios targeting an OS Command Injection vulnerability in the SAP Diagnostics Agent.

Note 2817491 addresses high priority denial of service and information disclosure vulnerabilities in SAP HANA Extended Application Services (Advanced Model). Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or enumerate open internal network ports. The vulnerabilities have been fixed with SAP HANA Extended Application Services (Advanced model) version 1.0.118.

SAP Security Notes, August 2019

Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.

Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.

Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.

SAP Security Notes, July 2019

Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through RFC connections maintained between Solution Manager and managed systems.

The vulnerability impacts the OS Command Plugin in transaction GPA_ADMIN. The transaction is used to create and maintain guided procedures. Note 2808158 provides a patch for the LM_SERVICE in SP levels 05-09 of Solution Manager 7.2.

Note 2774489 addresses a high priority OS command injection vulnerability in SAP Process Integration (PI). ABAP Tests Modules of PI could enable attackers to execute privileged OS commands. The relevant support packages listed in the note should be applied to remove the vulnerable source code in the modules.

SAP Security Notes, June 2019

Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated password are stored in a file that is referenced with property dpcpush.credentials.file in file <EM_install_dir>/sap/<SolMan_SID> The credentials in the file are insufficiently protected against attackers. However, dialog logon with SM_EXTERN_WS is not possible since the user is a system user type. Also, SM_EXTERN_WS does not have administrative privileges.

Note 2748699 recommends deploying the LM-SERVICE software component and patching the Management Module for Enterprise Manager. Also, it includes instructions for enabling encryption to protect the password file.

Switchable authorization checks were introduced by notes 2524203, 2527346 and 2496977 to supplement checks performed using authorization object S_RFC for critical Remote-enabled Function Modules (RFMs) in components of SAP ERP. This includes RFMs in Accounts Receivable and Payable, Materials Management, and Sales and Distribution.

SAP Security Notes, May 2019

Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program starts. The note recommends restricting registrations and starts to within the same system or SID cluster using the options ‘local’ and ‘internal’. However, the updates do not mention the risk that the security mechanisms applied by the recommended entries could be bypassed by attackers that register as internal servers with the message server. Therefore, it is critical to maintain access control lists for the message server to support the secure configuration of the gateway server.

For additional security against 10KBLAZE exploits, a separate port should be configured for internal message server communications, external monitor commands should be rejected, communications between kernel components should be encrypted, and the bit mask value for the profile parameter gw/reg_no_con_info should be set to a value of 255.

Note 2756453 provides manual instructions and automated corrections for removing a high-risk cross-site scripting vulnerability in S/4HANA.

Note 2784307 deals with another high-risk vulnerability in the REST Interface that could be exploited to escalate privileges in SAP Identity Management.