Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
January 2021 notes
Summary and highlights of the month
The total number of notes/patches has increased from last month. Besides this increase in the number of total notes, the number of Hot News also increases, being 4 the ones we found last month with respect to the 5 existing in January. On the other hand, it is worth noting that the number of high criticality notes remains at 2, both last month and this one. As always we will leave the medium and low notes unchecked in this month, but we will give details of a total of 7 notes (all those with a CVSS of 7 or higher).
We have a total of 19 notes for the whole month, 5 more than last December (17th of the Tuesday patch, 10 new and 7 updates, being 4 more than last month).
We have 2 new critical notes (Hot News), being the total of 5 in this month that stand out for their high CVVS, one of them the recurrent update for the SAP Business Client with Chromium. We will also review in detail 2 of the total 2 high notes (those of CVSS greater or equal to 7), both new notes.
- The most critical note of the month (with CVSS 10) is the recurrent update of “Browser Control Chromium Delivered with SAP Business Client (2622660)” that goes from a CVSS of 9.8 to 10 caused by a critical failure (CVE-2020-15967) in the payment component of Chrome.
- The following 2 critical notes (CVSS 9.9) are two new notes, one affecting SAP Business Warehouse (Database Interface) in multiple vulnerabilities and the other affecting Code Injection in SAP Business Warehouse and SAP BW/4HANA.
- From there, we located 2 more Hot News, both updates, and 2 high priority notes, being the most relevant with a CVSS of 8.9 a new note of “Information Disclosure in Central Order”. The rest (12) are of medium and low level, and we will not see them in detail.
- This month the most predominant types are “Missing Authorization Check “(4/19 and 4/17 in patch day), “Cross-Site Scripting (XSS)” (2/19 and 1*/17 in patch day) and “Code Injection” (2/19 and 2/17 in patch day).
In the graph (post January 2021 of SAP) we can see the classification of the notes of January in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
Full details
The full details of the most relevant notes are as follows:
- Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. From SAP Business Client 6.5 PL5 and above you can use the browser control Chromium for displaying HTML content within SAP Business Client. As this full browser control is delivered and can be installed with SAP Business Client, security corrections for this browser control are shipped with SAP Business Client patches. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. Some well-known impact of those vulnerabilities are: system information disclosure or system crash in worst cases; vulnerabilities might have direct impact on confidentiality, integrity and availability of a system; information gathered can be used to craft further attacks, possibly with more severe consequences. The related CVSS score is always based on the all-time high of all fixed vulnerabilities. While this value didn’t change for more than a year, it has increased now with the newest patch from 9.8 to 10. The increase seems to be caused by a critical flaw (CVE-2020-15967) in Chrome’s payments component. Following Google’s information, the flaw is a use-after-free vulnerability. Use-after-free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause various malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code. CVSS v3 Base Score: 10 / 10.
- Multiple vulnerabilities in SAP Business Warehouse (Database Interface) (2986980): It patches a SQL Injection vulnerability, tagged with CVSS score of 9.9, and a Missing Authorization Check vulnerability, tagged with CVSS score of 6.5. Both vulnerabilities were found in the Database Interface of SAP BW. An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system. The Missing Authorization Check vulnerability that was fixed with note #2986980 could lead to an escalation of privileges allowing an attacker to read out any database table. SAP has solved the issue by just disabling the function module. Attention: This will cause a dump in any application that calls this function module! So, it is highly recommended to check your custom code before applying the patch. If the function module is still in use, it is also strongly recommended to think about an alternative “as it must not be used anymore” and to implement the patch. Based on that statement, there is a high chance that the dangerous function module will be removed anyway with one of the next updates. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-21465)
- Code Injection in SAP Business Warehouse and SAP BW/4HANA (2999854): It patches a typical source for this kind of vulnerability. An insufficient input validation could allow a low privileged user to inject malicious code that is stored persistently as a report. This report could be executed afterward, and thus, could potentially lead to scenarios with a high negative impact on the confidentiality, integrity and availability of the affected system (and maybe also of connected systems). Fortunately, the provided patch can be applied automatically via transaction SNOTE and does not require any manual pre or post activities. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-21466)
- Update – Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA (2983367): SAP BW Master Data Management and SAP BW4HANA allows an attacker with high privileges ability to submit a crafted request to generate and execute code without requiring any user interaction. These malicious requests could result in the execution of operating system commands that may completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it. Reason and Prerequisites: Misuse of a delivered function with the intention to execute arbitrary reports in the system. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-26838)
- Update – Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server) (2979062): The UDDI Server of SAP NetWeaver Application Server for Java allows an attacker to execute arbitrary OS commands without having the required permissions, known as escalation of privileges vulnerability. Potential impact is total compromise of confidentiality, integrity and availability of server OS. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-26820).
- Information Disclosure in Central Order (3001373): fixes an issue in the binding process of the Central Order service to a Cloud Foundry application that existed before December 4, 2020. This issue allowed unauthorized SAP employees to access the binding credentials of the service. It can be solved by simply deleting and recreating the service instance. If additional service keys were created for the service instance, they need to be recreated, in order to generate new credentials. CVSS v3 Base Score: 8.9 / 10.
- Denial of service (DOS) in SAP NetWeaver AS ABAP and ABAP Platform (3000306): It patches a scenario in SAP NetWeaver AS and ABAP Platform that could lead to a Denial-of-Service experience for the users. Starting the demo examples that are embedded in ABAP Server’s and ABAP Platform’s ABAP Keyword Documentation via the web version allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. The provided fix prevents the demo examples from being started in parallel. CVSS v3 Base Score: 7.5 / 10 (CVE-2021-21446).
Reference links
Reference links of the CERT of the INCIBE in relation to the publication of the notes for January:
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-enero-2021
Other references, from SAP and Onapsis (January):
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476
https://onapsis.com/blog/sap-security-notes-january-2021
Resources affected
- Automated Note Search Tool (SAP Basis), versiones 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 y 7.54;
- SAP 3D Visual Enterprise Viewer, versión 9.0;
- SAP Banking Services (Generic Market Data), versiones 400, 450 y 500;
- SAP Business Client, versión 6.5;
- SAP Business Warehouse, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 y 782;
- SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface), versiones 410 y 420;
- SAP BW4HANA, versiones 100 y 200;
- SAP Commerce Cloud, versiones 1808, 1811, 1905, 2005 y 2011;
- SAP EPM ADD-IN, versiones 2.8 y 1010;
- SAP GUI FOR WINDOWS, versión 7.60;
- SAP Master Data Governance, versiones 748, 749, 750, 751, 752, 800, 801, 802, 803 y 804;
- SAP NetWeaver AS JAVA, versiones:
- AS Java (HTTP Service), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
- AS JAVA (Key Storage Service), versiones 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40 y 7.50;
- AS JAVA, versiones 7.20, 7.30, 7.31, 7.40 y 7.50;
- SAP NetWeaver Master Data Management, versiones 7.10, 7.10.750 y 710;