During the last month there were some news related to SAP security that I would like to cover.
First of all, there were 2 big security conferences where SAP security was covered: BlackHat and Defcon. We, ERPScan, participated in both of them with a talk about SAP at BlackHat and a talk about VMware at Defcon. The reason why we delivered a VMware talk at Defcon is, first of all, that our researchers and penetration testers do a lot of great work not only in SAP area but also in different fields of security to stay on the top level. What's more, this talk shows that securing SAP systems is not only about SAP applications themselves but also about infrastructure.
1.Vulnerabilities in VMware from DefCON
This research was done during the penetration testing of SAP landscape. While most of our team were focused on SAP applications, Alexander Minozhenko found that SAP systems were installed on VMware ESXi platform. This means that even if SAP applications are secured, an attacker still has a chance to control all systems by gaining access to ESXi management console - vSphere. So he found a way to gain unauthorized access to all virtual machines using a number of vulnerabilities including 0-days.
Details can be found in slides
2. BlackHat presentation about XXE Tunneling in SAP
At BlackHat, we presented a talk about Server Side Request Forgery. The talk was about many interesting examples of SSRF attacks. As far as SAP is concerned, an example of targeted attack was presented which uses multiple vulnerabilities:
- Unauthorized access to the Dilbertmsg service
- XXE Tunneling
- XML RWX flaw
- Buffer overflow in SAP Kernel
There is a lot of information about this attack, from whitepapers to press coverage and a video interview:
We also created an XXE Scanner which helps to exploit XXE issues but it is still at the pre-beta stage and will be published soon.
3. Defcon presentation about reversing SAP DIAG by Martin Gallo
Martin Gallo from CoreSecurity presented his talk about decompressing and fuzzing DIAG protocol. While much of this information has been presented before, he has now published the details of Buffer Overflow vulnerabilities in DIAG protocol. The vulnerabilities could allow an anonymous attacker to execute a Denial of Service attack. One of the presented vulnerabilities could also lead to code execution. But the trace level should be set to 3 which is not so popular in production.
4. Remote command injection in SAP
As you already know, in the middle of every month SAP publishes a list of acknowledgements to security researchers who find vulnerabilities in SAP products. The researchers can publish details of vulnerabilities on their websites 3 months later so that the companies which care about their security have time to patch them.
What can happen to those who didn't patch on time, you can imagine after reading this topic.
The guys from Context IS published detailed information about command injection in SAP HostControl service. And they say that "The vulnerability allows for 100% reliable full code execution as the SAP administrator from an unauthenticated perspective".
The thing is that using a SOAP request to SAP HostControl service with GetDatabaseStatus, which can be done anonymously for default configuration (however there are configuration parameters that can disable this function and many others), it is possible to inject a command that will be executed by a command line application dbmsrv.exe which in its turn calls dbmcli.exe. It means that it is possible to execute any OS command remotely.
The most interesting thing is that (as we said before in our "SAP Security In Figures" whitepaper) this service is exposed to the Internet by many companies. Speaking about numbers, 10% companies that use SAP worldwide expose SAP HostControl service to the Internet. I think you can imagine what can be done to those companies if cybercriminals will use this hole.
As for defense, this issue can be patched by SAP Security Note 1341333. However, to prevent similar attacks and information disclosure issues in SAP Hostcontrol, it is better to configure the option service/protectedwebmethods = SDEFAULT. It will help to protect the service from some methods which should be protected from remote calls. Other details can be found here. After that, it is better to test for remote commands by an automated tool like ERPScan:
5. ZDI's remote code execution in SAP Crystal Reports and SAP BusinessObjects
ZDI published details about 2 vulnerabilities in SAP Crystal Reports and SAP BusinessObjects. As it the original source says, "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability". The vulnerability is closed by SAP and exploitation seems a little bit harder because the service listens random port, so an attacker would need to fingerprint it before. As for the second vulnerability in SAP Business Objects FI-CO, the user interaction is needed for exploitation. The CVSSv2 is 7.5 and the patch can be downloaded from here.
6. August security updates
New security updates have been released with 8 acknowledgements to security researchers. Detailed info about this update will be published in the next post.