Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

SAP Security Notes – September 2016

On 13th of September 2016, SAP released its monthly critical patch update consisting of 19 SAP Security Notes.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .

SAP Security Notes September 2016

SAP has released the monthly critical patch update for September 2016 closes 19 vulnerabilities in SAP products in total including 14 SAP Security Patch Day Notes and 5 Support Package Notes. 7 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.

3 of the released SAP Security Notes have a high priority rating.

SAP Security Notes September 2016 by priority

The most common vulnerability type is Missing authorization check.

SAP Security Notes September 2016 by type

Most of the vulnerabilities belong to the ABAP platform.

SAP Security Platforms September 2016

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.

Hot news High Medium Low
Financial Services 2353024
Cross-Application Components 2357856
2357695
Financial Accounting 2318530
Business Information Warehouse 2069820
Materials Management 2250863
Basis Components 2358986
2353243
2342473
2142551
2344524
2294866
2350574
2319727
Governance, Risk and Compliance 2351352
Enterprise Performance Management 2172049
HANA 2347944
Business intelligence solutions 2292351
2290548

The most critical issues closed by SAP Security Notes September 2016

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2358986: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 8.8). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2353243: SAP ASE has an SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2290548: SAP BI Launchpad has a DoS vulnerability (CVSS Base Score: 6.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody would be able to use this service, this fact negatively influences on business processes, system downtime and business reputation, as a result. Install this SAP Security Note to prevent the risks.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Patching SAP BOBJ

Today, we are patching SAP BI Promotion Management Application by using information from SAP Security Note 2292351 released this September. For our tests, we have SAP BI 4.1, version 5 SP 1 patch.

About Cross-Site Scripting

1) First of all, one needs to download the required patch. Click on the icon and you will be redirected to SAP Launchpad.
2) Choose the required patch. For our system, it’s BIPLATSVR4105P_14-20010870.EXE. You will get executable file.

BIPLATSVR4105P_14-20010870.EXE

3) Put the downloaded file to the server.
4) It is recommended that you backup before patching.
5) Launch the downloaded file.

SAP Security Notes SAP Security Notes

6) Click the “next” button and accept License Agreement.
7) Enter your credentials, then click next and wait.

SAP Security Notes

8) After all, you will get the following window:

SAP Security Notes

9) Now you can check the version (see host:port/BOE/CMC). On the top right corner, click on help and then click on about.

SAP Security Notes

Patch management flaws

The prompt installation of security support packages is one of the most important part in ensuring a full-scale system security. Prompt vulnerability elimination is necessary as the information on how to exploit them may get freely accessible and be implemented in such utilities as Metasploit. The number of support packages necessary for a system may be huge. That is why it is necessary to develop and establish a patch management process to ensure the implementation of adequate preventive measures against potential threats.

Below, two major checks are given that must be in place to address the most critical problems.

Further steps

It is also necessary to verify the security of the SAP components that are installed separately from the application server. These are services as SAPRouter, SAP Webdispatcher, SAP GUI, and systems that are linked to the NetWeaver ABAP application server, but operate on the basis of the NetWeaver J2EE or SAP BusinessObjects application servers. In addition, a security patch should be checked for operating systems where the SAP services are installed, as well as for DBMS that store the SAP solution data.

Check for components update (SAP Notes) Description

Patches are designed to fix system errors by replacing the objects with outdated and vulnerable versions. There are two ways to fix a vulnerability: to install the Support Package or to implement the correction instructions from the SAP Notes. As a rule, initially a particular SAP Note (with appropriate correction instructions) is issued, then comes the Support Package, which includes, in addition to changed or new functionality, a set of correction instructions for a certain period of time.

The development of the patch management process should consider the patch installation priority based on the factors as follows:

    — threat severity,
    — threat probability,
    — required system privileges,
    — complexity of exploitation,
    — public exploit availability.

Attention! The vulnerability management is additionally complicated by vulnerabilities that may be fixed with either a support package, or the SAP Notes. But these two mechanisms are not synchronized with each other, and this creates vulnerability management problems, e.g. a vulnerability fixed with a support package would not be implemented as fixed via the SNOTE transaction to the SAP Notes list.

Threat

The issue of new security patches is linked to an identified vulnerability that rather quickly becomes publicly known (its description becomes freely accessible). A late implementation of security patches to fix certain vulnerabilities enables an adversary to exploit them, to get an unauthorized access to sensitive business data, to modify data and to perform a DoS attack.

Solution

It is necessary to perform regular checks for security patches implementation by following the main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring). Technically, for the patch installation in 3.0 and higher versions, the SAP offers a tool known as the SAP Patch Manager (SPAM) (to start the SPAM, you can enter SPAM in the transaction code field) that allows to download and implement required support packages from the Online Server System (OSS). Besides, multi-purpose SAP Software Update Manager (SUM) may be used to implement various system update processes. To implement SAP Notes, use the SNOTE transaction to get a list of security notes required for particular system. As mentioned above, these two mechanisms are not synchronized, so it can be improved manually or with some additional third-party tools.

Check for kernel updates Description

The SAP system kernel includes executables of the SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAProuter and of other SAP main services . That is why the kernel has a separate update mechanism. Kernel updates are released as service packs for a specific kernel type. Often, every next following support package is cumulative, i.e. with all previous updates, but sometimes releases contain updates for a certain support package only.

Threat

The issue of new security patches is linked to an identified vulnerability that rather quickly becomes publicly known (its description becomes freely accessible). A late implementation of security patches to fix certain vulnerabilities enables an adversary to exploit them, to get an unauthorized access to sensitive business data, to modify data and to perform a DoS attack. Notice that kernel updates mostly fix highly critical vulnerabilities, as any system has a kernel. Thus, the priority of kernel update should be higher than that of components.

Solution

It is necessary to perform regular checks for security patches implementation by following the main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring). For information on the current service pack via the SAP GUI: open the Status window in System tab and click on the Other kernel info (Shift+F5 by default). The information on the latest service pack is stored at the SAP support portal. A SAP Note is usually downloaded as a system and executable files directory that replaces the previous files. The Software Update Manager (SUM) utility is also available to facilitate the manual process a lot (ref. to the operating manual).