SAP has issued a total of 81 notes (Security Updates) in the fourth quarter of 2017 (51 from patches),
this yeWe would like to highlight that ar was the one with fewer Security notes since 2009 (274 in 2017 vs 314 in 2016)
We have 4 critical notes (Hot News) in this quarter .We reached 6 months without “Hot News” from SAP, however, in November, after reviewing recent high criticality notes pending assessment (CVSS), some of them were classified as critical.
All the critical notes (“Hot News”) had the same rating (CVSS of 9.1). All of them are updates of previously published notes, although in two of them a greater investigation leads to classify them as critical. Precisely these two notes related to LaMa (before LVM) – Landscape Administration – are the most relevant notes to consider.
2017 Q4 Summary
There were 30 notes issued in October. Two of them were classified as High priority, and one of them with 9.1 CVSS became Hot News in November, in addition to one August note was updated to High. The most prevalent type has been the information leak (“Information Disclosure”) (9/30 and 7/16 in patch tuesday), followed by problems with authorizations (“Missing Authorization Check” & Switchable Authorization Check ” (4 + 4/30).
In November, a total of 32 notes were published (21 in Security Notes Tuesday / SAP Security Patch Day).
Three of them were “hot news” (critical) as result of previous notes updates, The only high note (with CVSS of 8.0) was related with full access to “SAP Management Console”.
The most predominant type is the “Cross-Site Scripting – XSS” (6/32 and 5/22 in patch tuesday), followed by information leakage (“Information Disclosure”); and lack of authorizations (“Missing Authorization Check”) (5/32).
In December a total of 19 notes were published (15 in the Security Notes Tuesday / SAP Security Patch Day). The only critical note was again an update of a previous note. Of the total of notes (23 of patch Tuesday) the distribution was the same among the main 5 categories (Info Disclosure, XSS, DoS, Code Injection & Missing Auth.)
In the previous graph (post December 2017) we can see the evolution and classification of the notes of the 3 months of the fourth quarter of the year (2017), in addition to the 3 previous (only the notes of Sec. Tuesday / Patch Day – by SAP)
Critical News detail (“hot news”)
Disclosure of Information/Elevation of Privileges LVM 2.1 and LaMa 3.0 (2531241): This is a note from October that was set as Hot News in November (raising the level to 9.1). SAP Landscape Management (LaMa) is the changed name for the SAP product once called Landscape Virtualization Management (LVM). LaMa is a management tool that enables the SAP basis administrator to automate SAP system operations. LaMa requires passwords of managed systems for operation. During operation relevant data is required for restarting a process for recovery reasons. Confidential data is therefore stored in Netweaver Java Secure Store. This data, which should not be able to be read, can be accessed by an attacker under certain conditions. CVSS v3 Base Score: 9.1 / 10
Potential Denial of Service Vulnerability in SAP Standalone Enqueue Server (2476937): The Standalone Enqueue Server makes an enqueue function available to AS ABAP and AS Java instances. The Enqueue Server provides a locking service and locking clients (the application servers) communicate directly with this server through TCP. The Enqueue Server holds critical data in the lock table in the main memory: all locks that are currently held by users. This vulnerability allows an attacker to remotely exploit the Enqueue server, making its resources unavailable. Data on that server then could be lost and cannot be restored even when the Enqueue Server is restarted. All transactions that have held locks therefore would have to be reset. CVSS v3 Base Score: 7.5 / 10
Directory Traversal Vulnerability in SAP NetWeaver AS Java Web Container (2486657): It is an update to an existing note (Q3-August). These types of attacks always affect the confidentiality of information, since it allows an attacker to read arbitrary files that shouldn’t be accessed. Its high impact on confidentiality makes its CVSS score the highest again of this month. It is not critical however, since there is no impact on availability or integrity and an attack should be performed with privileges. AS Java Web Container without proper validation of path information could have an impact due to an attacker reading content of arbitrary files on the remote server, exposing sensitive data. CVSS v3 Base Score: 7.7 / 10
Disclosure of Information/Elevation of Privileges LaMa 3.0 (2520772): Related to first note in this list, which also became Hot News after deeper review from SAP and its classification on CVSS escale. The risk an issue is the same: high privilege access credentials, which should not be able to be read, can be accessed by an attacker under certain conditions. CVSS v3 Base Score: 9.1 / 10
Code Injection vulnerability in Text Conversion (2371726): It is again an update to a previous note (September 2016), with some additional instructions. Text Conversion, which enables SAP standard text to be replaced by industry specific text, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application considering well-known impacts such as: Unauthorized execution of commands, Sensitive information disclosure or Denial of Service. CVSS v3 Base Score: 9.1 / 10
Full access to SAP Management Console (2500044): A private key for instance communication is stored in Java and an attacker might be able to access this key. CVSS v3 Base Score: 8.0 / 10
OS Command Injection vulnerability in Report for Terminology Export (2357141): This note has been re-released (prev. Nov 2016) with updated “Solution and Attachment” information, which describes additional manual steps to fix functionality
Other References:
- SAP Blog October
- Onapsis: Security Blog October
- SAP Blog November
- Onapsis: Security Blog November
- SAP Blog December
- Onapsis: Security Blog December