Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.
Notas Agosto 2021
Resumen y highlights del Mes
El número total de notas/parches ha aumentado con respecto al último mes. Además de esta subida en el número de notas totales, el número de Hot News también aumenta, siendo 2 las que encontrábamos el mes pasado con respecto a las 3 existentes en Agosto. Por otro lado, cabe destacar, que aumentan el número de notas de criticidad alta pasando de 2 a 6 en este mes. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 9 notas (todas las que tengan un CVSS de 7 o mayor).
Tenemos un total de 19 notas para todo el mes, 3 más que el pasado Julio (15 del patch Tuesday, 14 nuevas y 1 actualizaciones, siendo las mismas que el mes pasado).
Tenemos 3 notas críticas (Hot News) nuevas, siendo el total de 3 en este mes que destacan por su alto CVVS. Además revisaremos en detalle 6 del total de 6 notas altas (aquellas de CVSS mayor o igual a 7), todas ellas notas nuevas.
- Las notas más críticas del mes (con CVSS 9.9) son dos. Una de Unrestricted File Upload vulnerability que afecta a SAP Business One y la otra de Server Side Request Forgery vulnerability que afecta a SAP NetWeaver Development Infrastructure (Component Build Service).
- La siguiente en criticidad (CVSS 9.1) es una de SQL Injection vulnerability en SAP NZDT Row Count Reconciliation.
- A partir de ahí, localizamos las 6 notas de criticidad alta (high priority) siendo la más relevante con un CVSS de 8.8 una nueva nota de Missing Authentication check en SAP Web Dispatcher. El resto (10) son de nivel medio y bajo, y no las veremos en detalle.
- Este mes los tipos más predominantes son “Cross-Site Scripting (XSS)” (5/19 y 4/15 en patch day) y “Missing Authorization Check” (3/19 y 2/15 en patch day).
En la gráfica (post Agosto 2021 de SAP) podemos ver la clasificación de las notas de Agosto además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):
Detalle completo
El detalle completo de las notas más relevantes es el siguiente (en inglés):
- Unrestricted File Upload vulnerability in SAP Business One (3071984): It patches a vulnerability in SAP Business One that allows an attacker to upload files, including script files, to the server. The only reason it does not have a CVSS 10 rating is because it needs a minimum set of authorizations. Fortunately, there is a workaround available for customers who can not immediately apply the related hotfix—they can simply deactivate the affected functionality. But, as always, SAP emphasizes that this workaround should be considered a temporary fix rather than a permanent solution. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-33698).
- Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service) (3072955): A servlet of the Component Build Service in SAP NetWeaver Development Infrastructure (SAP NWDI) was exposed to the outside, allowing attackers to perform proxy attacks by sending crafted queries. According to SAP, the impact of this vulnerability depends on whether or not SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or Internet. If it is running on the Internet, this vulnerability “could completely compromise sensitive data residing on the server, and impact its availability”. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-33690).
- SQL Injection vulnerability in SAP NZDT Row Count Reconciliation (3078312): It patches an SQL Injection vulnerability in the Near Zero Downtime (NZDT) tool of the DMIS Mobile Plug-In or SAP S/4HANA. The tool is used by SAP’s corresponding nZDT service for time-optimized system upgrades and system conversions. When using the nZDT service, the maintenance is performed on a clone of the production system. All changes are recorded and transferred to the clone after the maintenance tasks are completed. During the final downtime, only a few activities are executed, including a switch of the production to the new system (clone). In addition to the correction instructions that come with the note, there is also a workaround available for all customers who have activated the Unified Connectivity (UCON) runtime check. The workaround for the vulnerability within the tool used by the nZDT service is to not assign the used remote-enabled function module to any communication assembly (CA) in UCON. CVSS v3 Base Score: 9.1 / 10 (CVE-2021-33701).
- Missing Authentication check in SAP Web Dispatcher (3057378): SAP Web Dispatcher does not perform any authentication checks for functionalities that require user identity. It contains a programming error that affects authentication in all SAP application systems that are accessed through the SAP Web Dispatcher if authentication based on X.509 client certificates is used. In such scenarios, an attacker with network access can execute functions in SAP application systems with any user identity that has a mapping to an X.509 certificate. Impacts of Missing Authentication check are: read, modify or delete sensitive information and access administrative or other privileged functionalities. CVSS v3 Base Score: 8.8 / 10.
- Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (3073681): It patches a Cross-Site Scripting (XSS) vulnerability caused by one of the portal’s servlets. An insufficient sanitization allows the injection of Javascript into the corresponding web page. If a victim navigates to an infected servlet, the vulnerable script is executed in their browser. Although the impact on the system’s confidentiality, integrity and availability is high, the fact that it is highly complex and requires user interaction for the exploit to succeed, merits a lower CVSS score. CVSS v3 Base Score: 8.3 / 10 (CVE-2021-33702).
- Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (3072920): It patches a very similar vulnerability in another servlet of the SAP Enterprise Portal. So, it’s no surprise that it has also the same CVSS value and vector assigned as note #3073681. CVSS v3 Base Score: 8.3 / 10 (CVE-2021-33703).
- Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal (3074844): It patches a Server Side Request Forgery (SSRF) vulnerability in one of the design time components of the SAP Enterprise Portal. It allows an unauthenticated attacker to craft a malicious url which, when clicked by a user, can make any type of request (e.g. POST, GET) to any internal or external server. CVSS v3 Base Score: 8.1 / 10 (CVE-2021-33705).
- Task Hijacking in SAP Fiori Client Native Mobile for Android (3067219): Task Hijacking in SAP Fiori client affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows attackers/malware to takeover legitimate apps and steal user’s sensitive information. The Solution: SAP will provide the new version of Kapsel SDK and Fiori Client to fix this issue. CVSS v3 Base Score: 7.6 / 10 (CVE-2021-33699).
- Missing Authentication check in SAP Business One (3073325): SAP Business One allows a local attacker with access to the victim’s browser under certain circumstances to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application. The Solution: Disable the related vulnerability function. Customers need implement or upgrade to SAP Business One 10.0 PL2105 Hotfix1. CVSS v3 Base Score: 7.0 / 10 (CVE-2021-33700).
Enlaces de referencia
Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para el mes de Agosto:
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-agosto-2021
Otras referencias, en inglés de SAP y Onapsis (Agosto):
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
https://onapsis.com/blog/sap-security-patch-day-august-2021
Recursos afectados
El listado completo de los sistemas/componentes afectados es el siguiente:
- DMIS Mobile Plug-In, versiones DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752 y 2020.
- SAP Business One, versión 10.0;
- SAP BusinessObjects Business Intelligence Platform (Crystal Report, SAPUI5), versiones 420 y 430;
- SAP Cloud Connector, versión 2.0;
- SAP Fiori Client Native Mobile para Android, versión 3.2;
- SAP NetWeaver:
-
- (Knowledge Management), versiones 7.30, 7.31, 7.40 y 7.50;
- AS ABAP and ABAP Platform (SRM_RFC_SUBMIT_REPORT), versiones 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 y 755 ;
- Development Infrastructure (Component Build Service), versiones 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
- Development Infrastructure (Notification Service), versiones 7.31, 7.40 y 7.50;
- Enterprise Portal (Application Extensions), versiones 7.30, 7.31, 7.40 y 7.50;
- Enterprise Portal, versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
- SAP S/4HANA, versiones SAPSCORE 125, S4CORE 102, 102, 103, 104 y 105;