During the last month there were some news related to SAP security that I would like to cover.
First of all, there were held 2 big security conferences where SAP security was covered: BlackHat and DEFCON. ERPScan participated in both of them with a talk about SAP at BlackHat and a talk about VMware at DEFCON. The reason why we GAVE a VMware speech at Defcon is that, first of all, our researchers and penetration testers do a lot of great work not only in SAP area but also in different fields of security to stay on the top level. What’s more, this talk shows that securing SAP systems is not only about SAP applications themselves but also about infrastructure.
1. Vulnerabilities in VMware from DEFCON
This research was done during the penetration testing of an SAP landscape. While main part of our team was focused on SAP applications, Alexander Minozhenko found that SAP systems were installed on the VMware ESXi platform. This means that even if SAP applications are secured, an attacker still has a chance to control all systems by gaining access to ESXi management console – vSphere. This way it is possible to gain an unauthorized access to all the virtual machines using a number of vulnerabilities including 0-days.
Details can be found in the slides
2. BlackHat presentation on the XXE Tunneling in SAP
At BlackHat, we presented a talk about the Server Side Request Forgery. The talk covered many interesting examples of SSRF attacks. As far as SAP was concerned, as an example of targeted attack was presented the one which used multiple vulnerabilities:
- Unauthorized access to the Dilbertmsg service
- XXE Tunneling
- XML RWX flaw
- Buffer overflow in SAP Kernel
There is a lot of information about this attack, from whitepapers to press coverage and a video interview:
We also created an XXE Scanner. It helps to exploit XXE issues but is still at the pre-beta stage. The details will be published soon.
3. DEFCON presentation on reversing SAP DIAG by Martin Gallo
Martin Gallo from CoreSecurity presented his talk about decompressing and fuzzing DIAG protocol. While much of this information has been presented before, he has now published the details of Buffer Overflow vulnerabilities in DIAG protocol. The vulnerabilities could allow an anonymous attacker to execute a Denial of Service attack. One of the presented vulnerabilities could also lead to code execution. However, the trace level should be set to 3 which is not so common in production.
4. Remote command injection in SAP
As you already know, in the middle of every month SAP publishes a list of the acknowledgements to security researchers who found vulnerabilities in SAP products. The researchers can publish details of vulnerabilities on their websites 3 months later so that the companies that care about their security have time to patch them.
From this topic you can imagine what can happen to those who didn’t patch on time.
The guys from Context IS published the detailed information about the command injection in SAP HostControl service. It was said that “The vulnerability allows for 100% reliable full code execution as the SAP administrator from an unauthenticated perspective”.
It is possible to use a SOAP request to the SAP HostControl service with GetDatabaseStatus, which can be done anonymously for default configuration (however there are configuration parameters that can disable this function and many others). This way you can inject a command that will be executed by a command line application dbmsrv.exe which in its turn calls dbmcli.exe. It means that any OS command can be executed remotely.
The most interesting thing is that (as we said before in our “SAP Security In Figures” whitepaper) this service is exposed on the Internet by about 10% of the companies that use SAP. I think you can imagine what can be done to those companies if cybercriminals will use this loophole.
As for defense, this issue can be patched by SAP Security Note 1341333. However, to prevent similar attacks and information disclosure issues in SAP HostControl, it is better to configure the option service/protectedwebmethods = SDEFAULT. It can help to protect the service which should be protected from remote calls. Other details can be found here. It is also better to test for remote commands by an automated tool like ERPScan:
5. ZDI’s remote code execution in SAP Crystal Reports and SAP BusinessObjects
ZDI published the details of about 2 vulnerabilities in SAP Crystal Reports and SAP BusinessObjects. As it the original source says, “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability”. The vulnerability is patched by SAP and exploitation seems a little bit harder because the service listens to random port, so an attacker needs to fingerprint it before. As for the second vulnerability in SAP Business Objects FI-CO, the explotation requires the user interaction. The CVSS v 2 is 7.5 and the patch can be downloaded here.
6. August security updates
New security updates were released with 8 acknowledgements to security researchers. The detailed information about this update will be published in the next post.