Layer Seven Security

SAP Security Notes, August 2019

Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.

Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.

Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.

SAP Security Notes, July 2019

Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through RFC connections maintained between Solution Manager and managed systems.

The vulnerability impacts the OS Command Plugin in transaction GPA_ADMIN. The transaction is used to create and maintain guided procedures. Note 2808158 provides a patch for the LM_SERVICE in SP levels 05-09 of Solution Manager 7.2.

Note 2774489 addresses a high priority OS command injection vulnerability in SAP Process Integration (PI). ABAP Tests Modules of PI could enable attackers to execute privileged OS commands. The relevant support packages listed in the note should be applied to remove the vulnerable source code in the modules.

SAP Security Notes, June 2019

Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated password are stored in a file that is referenced with property dpcpush.credentials.file in file <EM_install_dir>/sap/<SolMan_SID> The credentials in the file are insufficiently protected against attackers. However, dialog logon with SM_EXTERN_WS is not possible since the user is a system user type. Also, SM_EXTERN_WS does not have administrative privileges.

Note 2748699 recommends deploying the LM-SERVICE software component and patching the Management Module for Enterprise Manager. Also, it includes instructions for enabling encryption to protect the password file.

Switchable authorization checks were introduced by notes 2524203, 2527346 and 2496977 to supplement checks performed using authorization object S_RFC for critical Remote-enabled Function Modules (RFMs) in components of SAP ERP. This includes RFMs in Accounts Receivable and Payable, Materials Management, and Sales and Distribution.

SAP Security Notes, May 2019

Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program starts. The note recommends restricting registrations and starts to within the same system or SID cluster using the options ‘local’ and ‘internal’. However, the updates do not mention the risk that the security mechanisms applied by the recommended entries could be bypassed by attackers that register as internal servers with the message server. Therefore, it is critical to maintain access control lists for the message server to support the secure configuration of the gateway server.

For additional security against 10KBLAZE exploits, a separate port should be configured for internal message server communications, external monitor commands should be rejected, communications between kernel components should be encrypted, and the bit mask value for the profile parameter gw/reg_no_con_info should be set to a value of 255.

Note 2756453 provides manual instructions and automated corrections for removing a high-risk cross-site scripting vulnerability in S/4HANA.

Note 2784307 deals with another high-risk vulnerability in the REST Interface that could be exploited to escalate privileges in SAP Identity Management.


SAP Security Notes, April 2019

Note 2747683 patches a vulnerability in the signature security mechanism of the Adapter Engine in SAP NetWeaver Process Integration (PI). The vulnerability could enable attackers to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. Such requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.  SAP has corrected the relevant code in PI Axis Adapter. The corrections apply additional checks for signed elements for correctness before signature validation. Customers should apply the relevant support packages and patches referenced by SAP Note 2747683.

Note 2776558 provides corrections for a high-risk insufficient authorization check in SAP Funding Management.  The vulnerability could be exploited to escalate privileges and carries a CVSS score of 8.3/10.

Notes 2742758 and 2741201 deal with information disclosure vulnerabilities in in the messaging system and runtime workbench of SAP PI. This could lead to the leakage of sensitive system information that could be exploited to perform further attacks against the platform.

Note 2687663 patches a similar vulnerability in the .NET SDK WebForm Viewer of SAP Crystal Reports. Sensitive database information that could be disclosed by exploiting the vulnerability  include user credentials.


SAP Security Notes, March 2019

Note 2764283 addresses an XML External Entity vulnerability in SAP HANA extended application services (XS), advanced. HANA XS does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space. Successful exploitation of the vulnerability could lead to the leading of arbitrary files in SAP servers or denial of service through resource exhaustion. Note that exploits targeting the vulnerability require either administrative or developer privileges to the SAP space of the XS advanced service. SAP recommends updating to XS advanced runtime version 1.0.102 or later.

Note 2689925 deals with a Cross-Site Scripting (XSS) Vulnerability in the SAML 1.1 SSO Demo App in the SAP NetWeaver Application Server Java. The app does not does sufficiently encode user-controlled inputs. This could lead to  unauthorized changes to web content and the theft of user credentials. The vulnerability impacts versions 7.10 – 7.50 of the software component J2EE-APPS. SAP recommends upgrading the component to the relevant patch level for each version specified in Note 2689925.

Note 2524203 introduces a switchable authorization check to secure access to the function module FKK_DOCUMENT_ READ used to read documents in Accounts Receivable and Payable.

Notes 2662687, 2727689, 2754235, 2746946, 2652102 and 2250863 patch insufficient or missing authorization checks in areas such as SAP Enterprise Financial Services, NetWeaver Application Server ABAP, S/4HANA, Convergent Invoicing and the Payment Engine.


SAP Security Notes, February 2019

Hot News Note 2742027 patches a critical broken authentication check in SAP HANA Extended Application Services, advanced model. The vulnerability could lead to unauthorized administrative access and the exfiltration, modification or deletion of sensitive data in HANA XS. The vulnerability carries a CVSS score of 9.4/10. It ranks relatively low in terms of attack complexity and requires no privileges in target systems. HANA XS Advanced should be upgraded to the patch level specified in the Note to address the risk. The Note includes manual instructions for a workaround if an upgrade is not possible. The workaround removes the affected OIDC component. A side-effect of the workaround is the deactivation of X.509-based or SPNEGO single sign-on for HANA users.

Note 2070691 deals with a high priority information disclosure vulnerability in the SAP Solution Tools Plug-In (ST-PI) that could lead to the leakage of sensitive data including configuration data and user passwords. The information can be used to perform targeted attack against database servers for SAP systems.

Note 2729710 includes a correction for a missing XML Validation vulnerability in the System Landscape Directory (SLD).

The correction avoids processing of all XML files that use XML External Entity (XXE). This could cause the SLD to continuously loop, read arbitrary files and send local files.

SAP Security Notes, January 2019

Hot News Note 2696233 deals with multiple vulnerabilities in the SAP Cloud Connector. The Connector is an agent that connects on premise systems with applications operating on the SAP Cloud Platform.  The agent supports HTTP, RFC, JDBC/ODBC and other connections between on-premise and cloud installations using reverse invoke without requiring inbound ports to be opened in on-premise network firewalls. Therefore, the Connector is designed to support secure cloud and on-premise connectivity. Note 2696233 patches a missing authentication vulnerability in the SAP Cloud Connector with a CVSS score of 9.3/10. It also addresses a lower-risk code injection vulnerability that could lead to information disclosure or a denial of service in the Connector. Customers are advised to upgrade to SAP Cloud Connector 2.11.3 to remove the vulnerabilities.

Hot News Note 2727624 includes corrections for removing a critical information disclosure vulnerability in SAP Landscape Management.  Landscape Management supports system cloning, copying, refreshing and other system administration tasks. The vulnerability addressed by Note 2727624 could be exploited by attackers to steal user credentials. The note recommends deleting entries in log files and changing passwords for system users that may be disclosed in logs.

Other high priority notes include 2727623 which removes a missing authorization check in SAP BW/4HANA and Note 2724788 which tackles various vulnerabilities in the Adobe PDF Print Library.

SAP Security Notes, December 2018

Hot News Note 2711425 patches a critical Cross-Site Scripting (XSS) vulnerability in SAP Hybris Commerce storefronts. The vulnerability could be exploited by attackers to modify web content and compromise user-related  authentication data. It affects versions 6.2 through 6.7 and 18.08 of SAP Hybris Commerce, including all but the latest patch releases. The vulnerability carries a CVSS v3.0 base score of 9.3/10 and scores particularly high in terms of impact to confidentiality and integrity. The related exploit is relatively non-complex and does not require any privileges in the target system. In addition to applying the automated updates referenced in Note 2711425, manual steps may be required to remove the vulnerability in cases where custom HTTP headers are used for caching, SAP Hybris Commerce is positioned behind a HTTP reverse proxy or load balancer, or the system is used in conjunction with a content delivery network (CDN).

Note 2642680 deals with a high-risk XML External Entity (XXE) vulnerability in SAP NetWeaver Application Server Java (AS Java) caused by missing validation for  XML documents received from untrusted sources. The vulnerability could lead to the compromise of the SAP file system or enable attackers to provoke a denial of service.

Note 2658279 patches an insufficient authorization check impacting the AS Java keystore service.

Note 2698996 removes a missing authorization check in SAP Customizing Tools. The note introduces a check for object S_RFC_ADM to prevent an escalation of privileges.

SAP Security Notes, November 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 was updated for multiple high-risk vulnerabilities addressed by Chromium release 70.0.3538.

Note 2681280 patches a critical remote code execution vulnerability in SAP HANA Streaming Analytics (HSA). The vulnerability impacts the open source Java-based Spring Framework library used by HSA. The note carries a CVSS score of 9.9/10.

Note 2701410 deals with a high-risk directory traversal vulnerability that could be exploited by attackers to access, modify or corrupt files on hosts supporting SAP Disclosure Management.

Note 2693083 removes transaction ZPTTNO_TIME from the standard role SAP_PS_RM_PRO_RECMANAGER. The transaction could be abused to escalate privileges in CRM Records and Case Management.