Layer Seven Security

SAP Security Notes, July 2017

Note 2442993 deals with a high-risk vulnerability in the Host Agent for SAP HANA. The Host Agent is automatically installed with every SAP instance on NetWeaver 7.02 and higher. The stand-alone component is used for controlling and monitoring SAP and non-SAP instances, databases and operating systems. Note 2442993 recommends upgrading to version 7.21 PL25 to remove a vulnerability in earlier versions that could be exploited by attackers to shutdown the Host Agent through malicious SOAP requests used for cross-platform communication via transport protocols such as HTTP and XML. A shutdown of the Host Agent could interrupt the availability of SAP services and explains the high CVSS score of 7.5/10 within the Note. Detailed instructions for upgrading the Host Agent are available in Note 1031096. The command ./saphostexec -upgrade should be performed after steps 1-4 outlined in the installation section of the Note.

Note 2476601 has an even higher CVSS score of 8.1/10. The note removes missing authentication checks in the SAP Point-of-Sale (POS) Xpress Server. The POS Xpress Server integrates components within the SAP POS suite including applications, clients and databases. Xpress Servers with Internet connectivity are particularly vulnerable to exploits targeting the missing authentication checks patched by the Note.

Note 2478377 recommends upgrading Sybase products impacted by Sweet32 attacks that target design weaknesses in some 64-bit block ciphers such as Triple-DES and Blowfish commonly used by the Internet protocols TLS, SSH and IPSec. The Sweet32 attack was discovered by researchers from the French National Research Institute for Computer Science (INRIA) in 2016 and can be used to recover HTTP session cookies in some specific scenarios.

Notes 2100926, 2184221 and 2185122 introduce switchable authorization checks for certain RFC enabled function modules in Business Warehouse, Public Services, and Master Data Governance. Switchable authorization checks supplement checks for the S_RFC authorization object and should be activated using transaction SACF.

SAP Security Notes, June 2017

Note 2416119 was reissued in June with updated release information and solution instructions.  The note provides instructions for maintaining the property URLCheck ServerCertificate in Java Application Servers. The instructions are intended to mitigate the risk of man-in-the-middle attacks by securing client-server HTTPS connections. Certificates signed by Certificate Authorities should be maintained in client keystores to avoid possible failures in HTTPS calls. Detailed instructions are available in the Manual Activities section of Note 2416119 and in the Resolution section of Note 2452615.

Note 2444321 corrects a program error in the SsfVerifyEx function of the SAP Common Cryptographic Library (Common CryptoLib). The error can lead to a failure in authorization and authentication checks for certificates.  SAP-delivered applications do not use the vulnerable SsfVerifyEx function.  However, SsfVerifyEx may be called by custom programs through the function module SSFW_KRN_VERIFY within the SSFW function group and the method VERIFY_XML within the SAP class CL_SEC_ SXML_DSIGNATURE.

Notes 2313631 and 2389181 deal with Denial of Service vulnerabilities impacting  the Launchpad and Central Management Console (CMC) within Business Intelligence  and the Instance Agent Service (sapstartsrv), respectively. The Launchpad and CMC are popular portals used to access BI content.

Sapstartsrv is a host-level service for controlling and monitoring SAP processes.

Note 2427292 includes corrections for an information disclosure vulnerability in the Microsoft Management Console (MMC) that could enable attackers to discover the password of hidden users. The credentials could be used to start or stop Java systems via the MMC Web Service.

SAP Security Notes, May 2017

Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract sensitive information or perform a denial of service by provoking a buffer overflow or underflow. This is caused by specially crafted commands or objects that force GUI Control to perform out-of-bounds memory reads. For detailed information, refer to CVE-2015-8540.

Note 2462813 provides instructions for securing dynamic selections in SQL queries using the function module FREE_SELECTIONS_RANGE_2_WHERE. The instructions are intended to mitigate SQL injection attacks against the Revenue Accounting application in SAP ERP. Successful SQL injection exploits can lead attackers to perform administrative database operations including reading, modifying and deleting sensitive data.

Note 2433777 deals with authorization errors in the ABAP File Interface used to edit files stored in SAP application servers. The Interface does not effectively perform authority checks for file or path names containing specific control characters. This could enable attackers to access restricted files. As a result, the corrections packaged with the Note disable the ABAP statements OPEN DATASET and DELETE DATASET for file names with control characters.

Note 2441560  removes a denial of service vulnerability in SAPCAR that could be exploited by attackers to gain root access to  servers processing prepared archives. SAPCAR is a utility that is used to compress and decompress files delivered by SAP. SAPCAR 7.21 should be updated to patch level 816 or higher to address the vulnerability.

SAP Security Notes, April 2017

Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous commands including OS commands using the administrative privileges of the <SID>ADM user. As a result, SAP recommends running TREX in an isolated subnet. Detailed instructions are documented in the TREX Installation Guide. However, the corrections included in Note 2419592 block access to the TREXNet interface from outside the TREX landscape. Therefore, it protects unsegmented systems against malicious commands targeting the protocol. TREX versions 7.10 and 7.25 must be upgraded to revisions 74 and 37 respectively to apply the corrections.

Note 2235515 includes an important update for SNOTE to log information related to the RFC destination used to download notes. SNOTE can be abused to download malicious packages from attacker controlled servers if the default RFC destination is changed. SNOTE executes program SCWN_NOTE_DOWNLOAD during runtime. The program will use an alternative RFC destination maintained in table CWBRFCUSR if a destination is defined in the table.  For more information refer to Note 2235514.

Notes 2410082, 2372301, 2400292 and 2387249 deal with weaknesses in XML input validation that expose several ABAP and Java applications to XML External Entity (XXE) attacks. The impact of successful XXE exploits include sensitive information disclosure and denial of service.

Finally, Note 2407616 provides an update for saprules.xml to secure against a high-risk vulnerability that could enable attackers to execute remote commands against SAP GUI. saprules.xml is used by the SAP GUI Security Module to protect clients against  potentially malicious commands from back-end SAP servers.

SAP Security Notes, March 2017

Note 2424173 deals with vulnerabilities in SAP HANA that were the subject of media attention in March. This includes coverage from the television news channel MSNBC. The vulnerabilities impact areas such as User Self Service Tools that support account-related tasks including password resets and self-registration through a web interface.

The Note carries a CVSS of 9.8/10. The exploit range and impact are high. The attack complexity is low and no specific privileges are required to execute the related exploits.

Attacks that exploit the vulnerable areas of user self-service appear to target the SYSTEM user in SAP HANA. The SYSTEM user is a powerful default user that should be deactivated after the initial install of the database. Any compromise of the SYSTEM user can lead to anonymous and privileged access to SAP HANA, leading to the complete compromise of the platform and data stored or processed by HANA.

User self-service tools are disabled in the default configuration of SAP HANA. Activation requires the creation of a technical user, configuring SMTP services and maintaining relevant parameters in the xsengine.ini file.

User self-service parameters and the status of the SYSTEM user can be monitored using SAP Solution Manager. The latter includes successful and unsuccessful logon attempts. Automatic alerts can be enabled for vulnerable settings and any action performed by the SYSTEM user.

Other critical corrections include Note 2319506 which removes a blind SQL injection vulnerability in Database Monitors for Oracle. The exploit addressed by the Note targets vulnerable input parameters in the function modules STUO_GET_ORA_ SYS_TABLE and STUO_GET_ORA_SYS_ TABLE_2 used to read or modify system tables.

Notes 2381388 and 2378999 remove missing authorization checks in the stock transfer process of Materials Management, a widely-deployed module of SAP ERP.

Finally, Note 2429069 addresses a session fixation vulnerability in SAP HANA 2.0 that enables attackers to decipher the session IDs of concurrent users.

SAP Security Notes, February 2017

Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks.

The DDoS vulnerability stems from the system messages area of the DOE. This is used to transmit messages to mobile clients. Attackers can provoke a denial of service in the DOE by flooding the system messages service and exhausting available resources.

Note 2407694 addresses a similar denial of service vulnerability in the SAP Web IDE for SAP HANA. Web IDE is a development tool for building and deploying Fiori and other applications. The sinopia registry in the Web IDE crashes during publication if a package name contains special characters. Exploitation of the vulnerability can be prevented by blocking the registry from registering new users. The Note includes instructions for identifying systems that have been successfully attacked using the vulnerability. It also included details of a workaround to block attempted new user registrations by modifying permissions for the htpasswd file.

Note 2392860 removes the transaction code ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_RM_PRO_REVIEWER. The transaction can be used to escalate privileges by creating other custom transactions.

Note 2413716 provides instructions for securing the trusted RFC connection for GRC Access Controls Emergency Access Management (EAM). The trusted connection is required to switch user accounts to Fire Fighter IDs (FFIDs).

The instructions include maintaining the authorization objects S_RFCACL and S_ICF, deactivating passwords for FFIDs, and controlling critical basis authorizations for managing trust relationships and RFC destinations.


SAP Security Notes, January 2017

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server.

The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third party software is bundled in products provided not only by Sybase, but vendors such as Intel, Cisco, HP, Adobe, RSA and Siemens.

Flexnet Publisher is vulnerable to a stack buffer overflow vulnerability that could enable attackers to execute arbitrary code remotely and without authentication. Since the code could provoke a crash in the Vendor Daemon which performs license control in software products, it could lead to a denial of service in SySAM and products that rely on SySAM. This explains the extremely high CVSS score of the vulnerability.

According to Flexera, a patch for the vulnerability was made available to vendors in November 2015. It is not clear if this included SAP. The vulnerability was published in the NIST National Vulnerability Database (NVD) shortly thereafter in February 2016.  Despite the criticality of the vulnerability, a correction for SySAM was only made available in January 2017. Customers are advised to download and install SySAM 2.4 to apply the correction.

Note 2389042 deals with a similar denial of service vulnerability in SAP Single Sign-On (SSO) which could interrupt the availability of SAP services for users. The SSO Authentication Library should be patched to the latest patch level specified in the Note.

Note 2407696 removes support for the DES encryption algorithm used to secure configuration data in SAP Online Banking 8.3. SAP recommends using stronger algorithms supported by Online Banking including AES and 3DES. Note that AES is more efficient in software implementations than 3DES since 3DES was designed for hardware implementations.