SAP Security Notes April 2017
On 11 of April 2017, SAP released its monthly set of SAP Security Notes consisting of 27 patches.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would be helful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .
SAP Security Notes April 2017 in review
Aprils’s batch of security patches includes 17 SAP Security Patch Day Notes and 10 Support Package Notes. 5 Notes are updates to previously released Security Notes.
5 of the released SAP Security Notes have a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.4.
Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.
The most common vulnerability type is Missing Authorization Check.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table demonstating a distribution between priority and application area.
|SAP Higher Education & Research||1830630|
|Financial Accounting (Cili)||1959110
|Business intelligence solutions||2403010|
The most critical issues of SAP Security Notes April 2017
The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- A Remote command execution vulnerability in SAP TREX / BWA (CVSS Base Score: 9.4). Update is available in SAP Security Note 2419592. A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command. The vulnerable component is integrated into more than a dozen SAP products, including flagship SAP HANA. Learn more about this issue by following the link.
- 2421287: SAP SAPLPD has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability for terminating a process of vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
- 2410082: SAP Web Dynpro Flash Island has an XML external entity vulnerability (CVSS Base Score: 7.5). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorised access to OS file system. Install this SAP Security Note to prevent the risks.
SAP TREX – patching process
The vulnerability in the TREXNet Protocol is the most severe within the patch update as it allows execute some sensitive operations anonymously over the network. The executed commands can be combined to potentially get an RCE on the server. Let’s look closer at the patching process.
1. First of all, to check your version of the installed SAP TREX, go to Help -> About.
2. Click on the Details button.
The version of the TREX is 7.10 with 50 SP.
3. Go to SAP Security Note 2419592 and choose the required version of the patch. You will be redirected to the SAP Launchpad.
4. Choose your OS and download the required patch. As an example, we use Windows OS, so we downloaded TREX71_74-10004511.SAR
5. Log into the system as
6. Extract the downloaded file using sapcar tools.
To do so, go to a folder where the patch was downloaded and execute sapcar with the command
7. Go to the extracted folder and update TREX by using the following command
> install.cmd —action=update —sid=TRX —password=ERPScanTREXPasswordAntiHacker2017
Press Enter and wait.
8. After updating you will recieve SUCCESSFUL status.
NB! check the logs and delete critical information like passwords stored in plaintext. Check entry point OPTIONS in the log:
OPTIONS: ['--action=update', '--sid=TRX', '--password=ERPScanTREXPasswordAntiHacker2017', '--logdir=C:\\Users\\trxadm\\AppData\\Local\\Temp\\3\\trex_install_2017-04-18_03.14.54']