Category: Advisories

Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks.

The DDoS vulnerability stems from the system messages area of the DOE. This is used to transmit messages to mobile clients. Attackers can provoke a denial of service in the DOE by flooding the system messages service and exhausting available resources.

Note 2407694 addresses a similar denial of service vulnerability in the SAP Web IDE for SAP HANA. Web IDE is a development tool for building and deploying Fiori and other applications. The sinopia registry in the Web IDE crashes during publication if a package name contains special characters. Exploitation of the vulnerability can be prevented by blocking the registry from registering new users. The Note includes instructions for identifying systems that have been successfully attacked using the vulnerability. It also included details of a workaround to block attempted new user registrations by modifying permissions for the htpasswd file.

Note 2392860 removes the transaction code ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_RM_PRO_REVIEWER. The transaction can be used to escalate privileges by creating other custom transactions.

Note 2413716 provides instructions for securing the trusted RFC connection for GRC Access Controls Emergency Access Management (EAM). The trusted connection is required to switch user accounts to Fire Fighter IDs (FFIDs).

The instructions include maintaining the authorization objects S_RFCACL and S_ICF, deactivating passwords for FFIDs, and controlling critical basis authorizations for managing trust relationships and RFC destinations.

 

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server.

The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third party software is bundled in products provided not only by Sybase, but vendors such as Intel, Cisco, HP, Adobe, RSA and Siemens.

Flexnet Publisher is vulnerable to a stack buffer overflow vulnerability that could enable attackers to execute arbitrary code remotely and without authentication. Since the code could provoke a crash in the Vendor Daemon which performs license control in software products, it could lead to a denial of service in SySAM and products that rely on SySAM. This explains the extremely high CVSS score of the vulnerability.

According to Flexera, a patch for the vulnerability was made available to vendors in November 2015. It is not clear if this included SAP. The vulnerability was published in the NIST National Vulnerability Database (NVD) shortly thereafter in February 2016.  Despite the criticality of the vulnerability, a correction for SySAM was only made available in January 2017. Customers are advised to download and install SySAM 2.4 to apply the correction.

Note 2389042 deals with a similar denial of service vulnerability in SAP Single Sign-On (SSO) which could interrupt the availability of SAP services for users. The SSO Authentication Library should be patched to the latest patch level specified in the Note.

Note 2407696 removes support for the DES encryption algorithm used to secure configuration data in SAP Online Banking 8.3. SAP recommends using stronger algorithms supported by Online Banking including AES and 3DES. Note that AES is more efficient in software implementations than 3DES since 3DES was designed for hardware implementations.