Layer Seven Security

SAP Security Notes, April 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2552318 provides an important update for Note 2376081 released in August 2017. The note deals with a high priority code injection vulnerability impacting iviews created in Visual Composer. Iviews are interactive, web-based applications in Java platforms. The corrections included in Notes 2552318 and 2376081 will support code injection checks for the entire input stream received from Visual Composer in the export to Excel mechanism. Note 2376081 should be implemented before 2552318.

Note 2537150 includes corrections to automatically terminate active sessions for user whose passwords have been changed in BusinessObjects.

Note 2587985 provides instructions for removing a Denial of Service (DOS) vulnerability in the Apache Http Server embedded in SAP Business One.

Finally, Note 2190621 provides a solution to log peer IP addresses instead of terminal IP addresses in the Security Audit Log, Peer or routed IP addresses are less vulnerable to manipulation than terminal IP addresses.

SAP Security Notes, March 2018

Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note.

Note 2604541 includes corrections in support packages for a dangerous denial of service and DDOS vulnerability in the Java OData Gateway. The vulnerability impacts vulnerable open-source Apache servlets that manage incoming OData requests. Refer to CVE-2017-12624 and CVE-2017-3156 for further details.

Notes 2596535 and 2587369 deal with information disclosure vulnerabilities in SAP Business Process Automation (BPA) by Redwood and SAP HANA 1.0 and 2.0. Both notes carry a CVSS score of 7.5 or higher and  could be exploited to leak sensitive system and user-related data. In the case of SAP HANA, user credentials may be stored in clear text in indexserver trace files. Attackers may be able to access systems using compromised credentials garnered from the files. This requires TRACE_ADMIN or CATALOG READ privileges. Access to these and other critical privileges in HANA systems should be monitored using SAP Solution Manager.

Note 2595262 includes corrections for a cross-site scripting vulnerability in the SAP CRM WebClient UI. The note has multiple prerequisite notes including collective note 2577883.

Finally, Note 2538829 includes updated libraries for open-source components in the SAP Internet Graphics Server (IGS) that are vulnerable to remote code execution attacks that could lead to memory corruption and provoke a denial of service.

SAP Security Notes, February 2018

Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share common resources such as data storage, user authorizations, and passwords. Permissions to manage spaces including domains and resources are granted through controller roles.

Note 2589129 recommends using HANA XSA patch level 1.0.70 in order to remove several authentication and authorization bypass vulnerabilities listed in the Note. This includes flaws in specific controller roles that could enable users to retrieve sensitive information. It also includes vulnerabilities that could enable unauthenticated or unauthorized users to read the system configuration using SQL statements and retrieve passwords from log files.

Note 2525222 includes automated corrections and manual instructions for high priority vulnerabilities in the SAP Internet Graphics Server (IGS). The vulnerabilities are caused by unrestricted file uploads that could be exploited to provoke a denial of service, perform cross-site scripting or log injection attacks, and leak sensitive data.

Lastly, Note 2565622 includes corrections to remove a broken authentication vulnerability that could enable attackers to access privileged  functions or read and modify sensitive data in the SAP NetWeaver System Landscape Directory (SLD). The SLD supports landscape management and stores destination information used for system interfaces and the NetWeaver Development Infrastructure (NWDI).

SAP Security Notes, January 2018

Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the BAdI GRFN_DOCUMENT. This will activate a positive whitelist in table GRFNDOCUMENTWT to control permitted file extensions and mime types.

Note 2408073 provides updated instructions for the handling of digitally signed notes in the Note Assistant. Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073. Note 2507934 provides instructions for adjusting role SAP_BPO_CONFIG in SAP Solution Manager 7.2. The instructions restrict authorizations for table maintenance in the role to BPO-relevant tables belonging to the authorizataion groups SS, LMDB, PIMA, SA, IWAD, and SC.

SAP Security Notes, December 2017

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Notes 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

SAP Security Notes, November 2017

Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas.  Report for Terminology Export does not sufficiently validate user input that is used to perform operating commands through the command variable in system calls. The vulnerability could be exploited to perform arbitrary OS commands using the privileges of the underlying service. This could compromise the SAP file system.

SAP updated the priority of Notes 2531241 and 2520772 from High to Hot News based on revised CVSS scores. The Notes were originally released in September and provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution sections includes instructions for changing passwords and discovering and removing sensitive log entries.

Note 2500044 introduces improved key management procedures through the profile variable jstartup/secure_key in order to prevent attackers from accessing private keys used for instance communication in the J2EE.

Note 2026174 deals with a high risk code injection vulnerability in a component of the Apache Struts framework used by SAP BusinessObjects Enterprise.

Finally, Note 2542426 provides recommendations for removing a privilege escalation vulnerability in the Image Imports component of SAP Assortment Planning.

SAP Security Notes, October 2017

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Note 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

SAP Security Notes, September 2017

Note 2408073 prepares systems to handle digitally signed SAP Notes. Digitally signed Notes will be issued by SAP in the future to protect against the risk of uploading Notes containing malware.  Digital signatures will support authentication and the identification of changes performed by attackers to SAP-delivered Notes.  SAP recommends only uploading digital signed Notes once they are available.

Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073.

Note 2520064 provides detailed instructions for removing a missing authentication check in the SAP Point-of-Sale (POS) Retail Xpress Server that was originally reported in July. The vulnerability could be exploited by attackers to modify files, capture sensitive information and perform a denial of service.

Notes 2531241 and 2520772 provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution section includes instructions for changing passwords and discovering and removing sensitive log entries.

Finally, Note 2278931 removes a high-risk code injection vulnerability in Document Management Services. The vulnerability could be exploited by attackers to create backdoors or escalate privileges.

SAP Security Notes, August 2017

Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by JavaScripts to exchange data between servers and clients to update parts of web pages without refreshing or reloading entire pages.  This minimizes network bandwidth usage and also improves response times through rapid operations. Ajax is an acronym for Asynchronous JavaScript and XML since it’s applied via XmlHttpRequest objects that interact dynamically with servers using JavaScript. XMLHttpRequest objects call server-side objects like pages and web services.

Browsers commonly apply a same-origin policy that prevent pages from accessing external resources that have a different scheme, hostname or port than existing pages. However, same-origin policies can be bypassed using procedures such as cross-origin resource sharing.  This could be exploited to transmit or load sensitive data to/ from malicious servers.  The cross-site Ajax request vulnerability addressed by Note 2381071 applies to versions 4.0 – 4.2 of BusinessObjects. Corrections are included in the patch levels for each relevant support package.

Note 2486657 deals with a high-risk directory traversal vulnerability in the NetWeaver AS Java Web Container. The Web Container is a component of the J2EE Engine and provides the runtime environment for Java applications including servlets and BSPs.

It receives HTTP requests from clients via the AS Java dispatcher. The requests are processed by applications in the Web Container to access business objects in the EJB Container. Note 2486657 improves input validation for file paths to prevent applications using the Servlet API exposing resources in parent directories or other directories outside the application context.

Other important notes include Notes 2376081, 2423540, 2524134 and 2280932 that patch a code injection vulnerability impacting iviews in Visual Composer, a URL redirection vulnerability in the SAP NetWeaver Logon Application, and a missing authorization check in the Security Provider Service.

SAP Security Notes, July 2017

Note 2442993 deals with a high-risk vulnerability in the Host Agent for SAP HANA. The Host Agent is automatically installed with every SAP instance on NetWeaver 7.02 and higher. The stand-alone component is used for controlling and monitoring SAP and non-SAP instances, databases and operating systems. Note 2442993 recommends upgrading to version 7.21 PL25 to remove a vulnerability in earlier versions that could be exploited by attackers to shutdown the Host Agent through malicious SOAP requests used for cross-platform communication via transport protocols such as HTTP and XML. A shutdown of the Host Agent could interrupt the availability of SAP services and explains the high CVSS score of 7.5/10 within the Note. Detailed instructions for upgrading the Host Agent are available in Note 1031096. The command ./saphostexec -upgrade should be performed after steps 1-4 outlined in the installation section of the Note.

Note 2476601 has an even higher CVSS score of 8.1/10. The note removes missing authentication checks in the SAP Point-of-Sale (POS) Xpress Server. The POS Xpress Server integrates components within the SAP POS suite including applications, clients and databases. Xpress Servers with Internet connectivity are particularly vulnerable to exploits targeting the missing authentication checks patched by the Note.

Note 2478377 recommends upgrading Sybase products impacted by Sweet32 attacks that target design weaknesses in some 64-bit block ciphers such as Triple-DES and Blowfish commonly used by the Internet protocols TLS, SSH and IPSec. The Sweet32 attack was discovered by researchers from the French National Research Institute for Computer Science (INRIA) in 2016 and can be used to recover HTTP session cookies in some specific scenarios.

Notes 2100926, 2184221 and 2185122 introduce switchable authorization checks for certain RFC enabled function modules in Business Warehouse, Public Services, and Master Data Governance. Switchable authorization checks supplement checks for the S_RFC authorization object and should be activated using transaction SACF.