SAP Security Notes, January 2017

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server.

The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third party software is bundled in products provided not only by Sybase, but vendors such as Intel, Cisco, HP, Adobe, RSA and Siemens.

Flexnet Publisher is vulnerable to a stack buffer overflow vulnerability that could enable attackers to execute arbitrary code remotely and without authentication. Since the code could provoke a crash in the Vendor Daemon which performs license control in software products, it could lead to a denial of service in SySAM and products that rely on SySAM. This explains the extremely high CVSS score of the vulnerability.

According to Flexera, a patch for the vulnerability was made available to vendors in November 2015. It is not clear if this included SAP. The vulnerability was published in the NIST National Vulnerability Database (NVD) shortly thereafter in February 2016.  Despite the criticality of the vulnerability, a correction for SySAM was only made available in January 2017. Customers are advised to download and install SySAM 2.4 to apply the correction.

Note 2389042 deals with a similar denial of service vulnerability in SAP Single Sign-On (SSO) which could interrupt the availability of SAP services for users. The SSO Authentication Library should be patched to the latest patch level specified in the Note.

Note 2407696 removes support for the DES encryption algorithm used to secure configuration data in SAP Online Banking 8.3. SAP recommends using stronger algorithms supported by Online Banking including AES and 3DES. Note that AES is more efficient in software implementations than 3DES since 3DES was designed for hardware implementations.

Leave a Reply

Your email address will not be published.