SAP has released the monthly critical patch update for May 2016. This patch update closes 21 vulnerabilities in SAP products including 10 SAP Security Patch Day Notes and 11 Support Package Notes. 10 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all notes are updates to previous Security Notes.
3 of all closed SAP Securtiy Notes have a high priority raiting and 1 has a Hot News raiting. The highest CVSS score of the vulnerabilities is 9.0.
Most of the discovered vulnerabilities belong to the SAP NetWevwer ABAP platform, the oldest and the most widespread one. It is a backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM.
The most common vulnerability type is Missing authorization check.
This month, 2 critical vulnerabilities identified by ERPScan’s researchers Alexey Tyurin and Vahagn Vardanyan were closed (one of them is hard-coded credentials vulnerability - one of the most important but underestimated issues in SAP Security).
About Hard-coded Credentials vulnerability
Hard-coding refers to the software development practice of embedding an input directly into the source code. Hard-coded credentials pose a risk to an organization. An attacker can use this vulnerability to get access to the functionality used by the application. Thereby, it allows them to escalate the privileges in the system. They will be able to commit industrial espionage or to change business-critical data. Moreover, this type of vulnerability is difficult to fix, only a developer often can get rid of the vulnerability.
About Hard-coded Credentials vulnerability in ABAP
Description: Access to some functionality is allowed not to the users with appropriate rights but to the users with concrete usernames. For example
IF sy-uname ='EVILUSER'.
SELECT (bname, passwd) FROM USR02 UP TO 100 ROWS INTO TABLE Hacked_Credentials.
Threat: If access is provided to users with the appropriate account names, it may be a backdoor or a debugging code to validate the functionality that comes in the productive system, which also threatens cybersecurity.
Solution It is strictly recommended to avoid access based on username in any production system.
Hard-coded credentials are rather common in SAP Systems. 106 vulnerabilities of this type were closed in total by the end of 2015. However, the number of such issues is not limited to this quantity. SAP customers can develop extensions to fulfill their requirements using ABAP, JAVA, and XSJS languages or some frameworks such as UI5 for HANA. Hard-coded credentials or other hard-coded values in these applications left by third-party or internal developers (intentionally or unintentionally) can be used as backdoors to execute malicious functionality.
Hard-coded information of different types (system names, usernames, passwords, and so on) occurs often in SAP systems. It can be in ABAP code written by SAP developers, internal company’s team or third-party developers. According to our statistics, we identified at least one vulnerability of this type in the ABAP code in 90% of companies during our Vulnerability Assessment projects and other professional services. This vulnerability is quite dangerous because it allows an attacker to control the program and to perform a particular function depending on predefined parameters."–
commented Vahagn Vardanyan, Senior Consultant, Code Security Team, Offensive Services department at ERPScan
Issues that were patched with the help of ERPScan
Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.
- A Hard-coded credentials vulnerability in SAP Code Page Conversion Tool (BC-I18) (CVSS Base Score: 3.1). Update is available in SAP Security Note 2292487. An attacker can use the hard-coded credentials to gain unauthorized access and perform actions in the system.
- A default credentials vulnerability in SAPHybris E-commerce Suite VirtualJDBC Default Credential. The vulnerability is fixed without security note, with Version 6.0.
Other critical issues closed by SAP Security Notes May 2016
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2296023: SAP ASE XPServer has a Missing authorization check vulnerability (CVSS Base Score: 9.0 ). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use its functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2298367: SAP Crystal Report for Enterprise has a Remote command execution vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Remote command execution vulnerability to execute commands remotely without authorization. Executed commands will run with the same privileges as the service that executed the command. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
- 2307384: SAP Predictive Analytics has a Remote command execution vulnerability (CVSS Base Score: 7.3 ). An attacker can use a Remote command execution vulnerability to execute commands remotely without authorization. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.
SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on its acknowledgment page.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.