On 13th of September 2016, SAP released its monthly critical patch update consisting of 19 SAP Security Notes.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .
SAP Security Notes September 2016
SAP has released the monthly critical patch update for September 2016 closes 19 vulnerabilities in SAP products in total including 14 SAP Security Patch Day Notes and 5 Support Package Notes. 7 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.
3 of the released SAP Security Notes have a high priority rating.
The most common vulnerability type is Missing authorization check.
Most of the vulnerabilities belong to the ABAP platform.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.
|Business Information Warehouse||2069820|
|Governance, Risk and Compliance||2351352|
|Enterprise Performance Management||2172049|
|Business intelligence solutions||2292351
The most critical issues closed by SAP Security Notes September 2016
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2358986: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 8.8). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2353243: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2290548: SAP BI Launchpad has a DoS vulnerability (CVSS Base Score: 6.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody would be able to use this service, this fact negatively influences on business processes, system downtime and business reputation, as a result. Install this SAP Security Note to prevent the risks.
Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
Patching SAP BOBJ
Today, we are patching SAP BI Promotion Management Application by using information from SAP Security Note 2292351 released this September. For our tests, we have SAP BI 4.1, version 5 SP 1 patch.
1) First of all, one needs to download the required patch. Click on the icon and you will be redirected to SAP Launchpad.
2) Choose the required patch. For our system, it’s BIPLATSVR4105P_14-20010870.EXE. You will get executable file.
3) Put the downloaded file to the server.
4) It is recommended that you backup before patching.
5) Launch the downloaded file.
6) Click the “next” button and accept License Agreement.
7) Enter your credentials, then click next and wait.
8) After all, you will get the following window:
9) Now you can check the version (see host:port/BOE/CMC). On the top right corner, click on help and then click on about.
Patch management flawsThe prompt installation of security support packages is one of the most important part in ensuring a full-scale system security. Prompt vulnerability elimination is necessary as the information on how to exploit them may get freely accessible and be implemented in such utilities as Metasploit. The number of support packages necessary for a system may be huge. That is why it is necessary to develop and establish a patch management process to ensure the implementation of adequate preventive measures against potential threats.
Below, two major checks are given that must be in place to address the most critical problems.
It is also necessary to verify the security of the SAP components that are installed separately from the application server. These are services as SAPRouter, SAP Webdispatcher, SAP GUI, and systems that are linked to the NetWeaver ABAP application server, but operate on the basis of the NetWeaver J2EE or SAP BusinessObjects application servers. In addition, a security patch should be checked for operating systems where the SAP services are installed, as well as for DBMS that store the SAP solution data.
Check for components update (SAP Notes) Description
Patches are designed to fix system errors by replacing the objects with outdated and vulnerable versions. There are two ways to fix a vulnerability: to install the Support Package or to implement the correction instructions from the SAP Notes. As a rule, initially a particular SAP Note (with appropriate correction instructions) is issued, then comes the Support Package, which includes, in addition to changed or new functionality, a set of correction instructions for a certain period of time.
The development of the patch management process should consider the patch installation priority based on the factors as follows:
— threat severity,
— threat probability,
— required system privileges,
— complexity of exploitation,
— public exploit availability.
Attention! The vulnerability management is additionally complicated by vulnerabilities that may be fixed with either a support package, or the SAP Notes. But these two mechanisms are not synchronized with each other, and this creates vulnerability management problems, e.g. a vulnerability fixed with a support package would not be implemented as fixed via the SNOTE transaction to the SAP Notes list.
The issue of new security patches is linked to an identified vulnerability that rather quickly becomes publicly known (its description becomes freely accessible). A late implementation of security patches to fix certain vulnerabilities enables an adversary to exploit them, to get an unauthorized access to sensitive business data, to modify data and to perform a DoS attack.
It is necessary to perform regular checks for security patches implementation by following the main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring). Technically, for the patch installation in 3.0 and higher versions, the SAP offers a tool known as the SAP Patch Manager (SPAM) (to start the SPAM, you can enter SPAM in the transaction code field) that allows to download and implement required support packages from the Online Server System (OSS). Besides, multi-purpose SAP Software Update Manager (SUM) may be used to implement various system update processes. To implement SAP Notes, use the SNOTE transaction to get a list of security notes required for particular system. As mentioned above, these two mechanisms are not synchronized, so it can be improved manually or with some additional third-party tools.
Check for kernel updates Description
The SAP system kernel includes executables of the SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAProuter and of other SAP main services . That is why the kernel has a separate update mechanism. Kernel updates are released as service packs for a specific kernel type. Often, every next following support package is cumulative, i.e. with all previous updates, but sometimes releases contain updates for a certain support package only.
The issue of new security patches is linked to an identified vulnerability that rather quickly becomes publicly known (its description becomes freely accessible). A late implementation of security patches to fix certain vulnerabilities enables an adversary to exploit them, to get an unauthorized access to sensitive business data, to modify data and to perform a DoS attack. Notice that kernel updates mostly fix highly critical vulnerabilities, as any system has a kernel. Thus, the priority of kernel update should be higher than that of components.
It is necessary to perform regular checks for security patches implementation by following the main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring). For information on the current service pack via the SAP GUI: open the Status window in System tab and click on the Other kernel info (Shift+F5 by default). The information on the latest service pack is stored at the SAP support portal. A SAP Note is usually downloaded as a system and executable files directory that replaces the previous files. The Software Update Manager (SUM) utility is also available to facilitate the manual process a lot (ref. to the operating manual).