Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

SAP Security Notes May 2015 – Review

SAP has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong to the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.

Issues that were patched with the help of ERPScan

The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.

  • A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base Score: 7.8). Update is available in SAP Security Note 2153690. An attacker can use Buffer Overflow to inject specially crafted code into working memory. The code will be executed by the vulnerable application under the same privileges that the application has. This can lead to the attacker taking complete control over the application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored in the vulnerable SAP system or escalate their privileges. As for denial of service, it can terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation.
  • A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base Score: 7.1). Update is available in SAP Security Note 2155690. An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use the service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
  • An XML eXternal Entity vulnerability in SAP System Landscape Directory (CVSS Base Score: 4.9). Update is available in SAP Security Note 2090851. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
 

The most critical issues closed by SAP Security Notes May 2015

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2152278: SAP ASE Database Platform has an SQL Injection vulnerability (CVSS Base Score: 8.5). An attacker can use SQL Injection with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
  • 2121661: SAP ABAP & Java Server has a Running Process Remote Termination vulnerability (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
  • 2127995: SAP Content Server has a Running Process Remote Termination vulnerability (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate SAP Content Server. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
  • 2153892: SAP HANA Web-based Development Workbench has an SQL Injection vulnerability (CVSS Base Score: 6.0). An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations in a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.

Remote code execution in SAP applications

Information security researchers have found many vulnerabilities in LZC/LZH algorithm, using which attackers can execute remote code on client and server hosts.

Many server and client SAP applications use the vulnerable compression algorithm LZC/LZH:

  • SAP NetWeaver Application Server ABAP
  • SAP NetWeaver Application Server Java
  • SAP NetWeaver RFC SDK
  • SAP RFC SDK
  • SAP GUI
  • SAP MaxDB database
  • SAPCAR archive tool

They are also used in the following protocols:

  • Diag
  • RFC
  • MaxDB

Let's look at the found vulnerabilities in detail.

1. Stack-based overflow vulnerability CVE-2015-2282 in compression algorithm LZC

Vulnerable application code:

Note that the variable "code" contains an attacker-controlled value, which results in a stack overflow if the value is greater than 256 and the value of the code in the prefix table is also greater than 256. It's possible to fill the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.

2. Vulnerability CVE-2015-2278 in compression algorithm LZH

Using this vulnerability, an attacker can read data stored outside the buffer using special package data.

Vulnerable code:

As you can see, arrays 'e' and 'd' are indexed by the values of "* p - s". As the value of variables 'p' and 's' are under the attacker's control, they also control the values of arrays 'e' and 'd'.

Attack scenarios

As the vulnerability affects a large number of SAP products, there are multiple attack vectors depending on how the vulnerable code is used in an SAP program.

Examples of vectors:

  • Attack on a server component: SAP NetWeaver services Gateway and Dispatcher process compressed data. An attacker can forge requests, create a special attack package, and exploit a Remote Code Execution vulnerability on the server.
  • Attack on a client component: the attacker can create a special .CAR or .SAR package, send it to a client, and when they try to unarchive it, the attacker's commands will be executed on the client's host.
  • MitM attack. As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.

Remediation

SAP customers can implement security notes 2124806, 2121661, 2127995, 2125316 at the company's support portal.

SAP has traditionally issued acknowledgments to the security researchers on their website. Checks for the issues are already available in ERPScan Security Monitoring Suite.