Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.
Notas Junio 2021
Resumen y highlights del Mes
El número total de notas/parches ha aumentado con respecto al último mes. A pesar de esta subida en el número de notas totales, el número de Hot News ha disminuido, siendo 3 las que encontrábamos el mes pasado con respecto a las 2 existentes en Junio. Por otro lado, cabe destacar, que ha aumentado el número de notas de criticidad alta pasando de 3 a 4 en este mes. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 6 notas (todas las que tengan un CVSS de 7 o mayor).
Tenemos un total de 20 notas para todo el mes, 6 más que el pasado Mayo (19 del patch Tuesday, 2 nuevas y 17 actualizaciones, siendo 8 más que el pasado mes).
Este mes hay 2 notas críticas (Hot News), un update y una nota nueva, que destacan por su alto CVVS. Además revisaremos en detalle 4 del total de 4 notas altas (aquellas de CVSS mayor o igual a 7) donde este mes serían todas ellas notas nuevas.
- La nota más crítica del mes (con CVSS 9,9) es una actualización a una vulnerabilidad de ejecución remota de código , donde solamente se ha añadido un enlace actualizado a un documento de preguntas frecuentes.
- La siguiente en criticidad (CVSS 9), sería una nota relacionada con una vulnerabilidad de autenticación inadecuada, ya que un servidor ABAP no podía identificar correctamente al 100% si la comunicación vía RFC o HTTP es entre los servidores de aplicaciones del mismo sistema SAP o con servidores fuera del sistema.
- A partir de ahí, localizamos las 4 notas de criticidad alta (high priority) siendo la más relevante con un CVSS de 8.7 una nueva nota de Missing XML Validation que afecta a SAP NetWeaver AS for Java. El resto (14), serían notas de nivel medio y bajo, y no las veremos en detalle.
- Este mes los tipos más predominantes son “Cross-Site Scripting (XSS)” (5/20 y 4*/19 en patch day) y “Memory Corruption” (4/20 y 4*/11 en patch day).
En la gráfica (post Junio 2021 de SAP) podemos ver la clasificación de las notas de Junio además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):
Detalle completo
El detalle completo de las notas más relevantes es el siguiente (en inglés):
- Update – Remote Code Execution vulnerability in Source Rules of SAP Commerce (3040210): SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. SAP Commerce Cloud addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. As mentioned earlier, this update is just a minor update that only contains an updated link on a FAQ document. CVSS v3 Base Score: 9,9 / 10 (CVE-2021-27602)
- Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (3020104): The vulnerability affects SAP NetWeaver ABAP Server and ABAP Platform, that do not create information about internal and external RFC user in distinguished and consistent format, which may be exploited by malicious users to obtain illegitimate access to the system. The risk of an attack can be reduced by restricting access from network external sources for RFC and HTTP communication in network protection solution accordingly and with the correction provided in this SAP Note the identification of application servers within one SAP system is improved and allows communication to distinguish from application servers of another SAP system or external client and server programs. For the correction, a new Kernel version for RFC and HTTP is required and an ABAP correction for HTTP communication. CVSS v3 Base Score: 9 / 10 (CVE-2021-27610).
- Missing XML Validation in SAP NetWeaver AS for JAVA (3053066): The note is related with the vulnerability that a malicious user authenticated as an administrator can connect over a network and submit a specially crafted XML file which can be used to attack the Java NetWeaver system under consideration. This attack can fully compromise confidentiality by allowing the attacker to read any file on the filesystem or fully compromise availability by causing the system to crash. The attack cannot be used to change any data so that there is no compromise as to integrity. To fix the issue, the XML parser is now configured securely to validate submitted XML documents so that external entities are not allowed. To protect against attack, it is necessary to apply corresponding patch. CVSS v3 Base Score: 8.7 / 10 (CVE-2021-27635).
- Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (3020209): An unathenticated attacker without specific knowledge of the system can send a specially crafted packet over a network which will trigger an internal error in the system causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. The crafted packet is a malformed request which is not recognized as such by the SAP Gateway process. As a consequence, the SAP Gateway attempts to handle the malformed request as if it were a proper request. The SAP Gateway might then attempt to copy from or into arbitrary memory locations. Malformed requests might then lead to a crash of the SAP Gateway process, which will in turn break all open RFC connections, and all registrations of programs with the SAP Gateway. With the correction, SAP Gateway is hardened against such memory corruption caused by request forgeries. To do so, implement the patch level of SAP Gateway mentioned in this SAP Note. CVSS v3 Base Score: 7.5 / 10 (Multiple CVEs).
- Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (3020104): An unauthenticated attacker without specific knowledge of the system can send a specially crafted packet over a network which will trigger an internal error in the system causing the system to crash and rendering it unavailable. Memory corruption can be provoked in SAP Enqueue Server (ENSA1) due to programming error. In this attack, no data in the system can be viewed or modified. The patch will protect against the memory corruption attacks described earlier by correcting a programming error. To apply the fix, implement the patch level mentioned in this SAP Note. CVSS v3 Base Score: 7.5 / 10 (Multiple CVEs).
- Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (3021197): SAP NetWeaver ABAP Server and ABAP Platform are vulnerable for externally triggered memory corruption. More precisely, the Dispatcher process of an SAP system is vulnerable for request forgery using a crafted packet of SAP´s proprietary DIAG protocol, which is used for SAP GUI communication. The packet causes a crash either of a work process or of the Dispatcher process. The latter immediately causes a hard shutdown of the application server. In this attack, no data in the system can be viewed or modified. By the provided correction, disp+work is hardened against memory corruption caused by such request forgeries.. CVSS v3 Base Score: 7.5 / 10 (Multiple CVEs).
Enlaces de referencia
Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para el mes de Junio:
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-junio-2021
Otras referencias, en inglés de SAP y Onapsis (Junio):
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999
Recursos afectados
El listado completo de los sistemas/componentes afectados es el siguiente:
- SAP 3D Visual Enterprise Viewer, versión 9;
- SAP Business One, versión 10.0;
- SAP Commerce, versiones 1808, 1811, 1905, 2005 y 2011;
- SAP Commerce Cloud, versión 100;
- SAP Enable Now (SAP Workforce Performance Builder – Manager), versiones 10.0 y 1.0;
- SAP Fiori Apps 2.0 for Travel Management in SAP ERP, versión 608.
- SAP Manufacturing Execution, versiones 15.1, 1.5.2, 15.3 y 15.4;
- SAP NetWeaver ABAP Server y ABAP Platform (Dispatcher):
-
- KERNEL, versiones 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 y 7.83;
- KRNL32NUC, versiones 7.22 y 7.22EXT;
- KRNL32UC, versiones 7.22 y 7.22EXT;
- KRNL64NUC, versiones 7.22, 7.22EXT y 7.49;
- KRNL64UC, versiones 8.04, 7.22, 7.22EXT, 7.49, 7.53 y 7.73;
- SAP NetWeaver ABAP Server y ABAP Platform (Enqueue Server):
-
- KERNEL, versiones 7.22, 8.04, 7.49, 7.53 y 7.73;
- KRNL32NUC, versiones 7.22 y 7.22EXT;
- KRNL64NUC, versiones 7.22, 7.22EXT y 7.49;
- KRNL64UC, versiones 8.04, 7.22, 7.22EXT, 7.49, 7.53, y 7.73;
- SAP NetWeaver AS (Internet Graphics Server – Portwatcher), versiones 7.20, 7.20EXT, 7.53, 7.20_EX2 y 7.81;
- SAP NetWeaver AS ABAP:
-
- KERNEL, versiones 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83 y 7.84;
- KRNL32NUC, versiones 7.22 y 7.22EXT;
- KRNL32UC, versiones 7.22 y 7.22EXT;
- KRNL64NUC, versiones 7.22, 7.22EXT y 7.49;
- KRNL64UC, versiones 8.04, 7.22, 7.22EXT, 7.49, 7.53 y 7.73;
- SAP NetWeaver AS ABAP (RFC Gateway):
-
- KERNEL, versiones 7.22, 8.04, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 y 7.83;
- KRNL32NUC, versiones 7.22 y 7.22EXT;
- KRNL64NUC, versiones 7.22, 7.22EXT y 7.49;
- KRNL64UC, versiones 8.04, 7.22, 7.22EXT, 7.49, 7.53 y 7.73;
- SAP NetWeaver AS ABAP (Web Survey), versiones 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A y 75F;
- SAP NetWeaver AS ABAP y ABAP Platform, versiones 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755 y 804;
- SAP NetWeaver AS ABAP y ABAP Platform (SRM_RFC_SUBMIT_REPORT), versiones 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754 y 755;
- SAP NetWeaver AS for JAVA, versiones 7.20, 7.30, 7.31, 7.40 y 7.50;
- SAP NetWeaver AS for Java (UserAdmin), versiones 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
- SAP NetWeaver Application Server ABAP (Aplicaciones basadas en SAP GUI para HTML):
- KERNEL, versiones 7.49, 7.53, 7.77, 7.81 y 7.84;
- KRNL64NUC, versión 7.49;
- KRNL64UC, versiones 7.49 y 7.53;
- SAP NetWeaver Application Server ABAP (Aplicaciones basadas en Web Dynpro ABAP):
-
- SAP_BASIS, versión 702,31;
- SAP_UI, versiones 750, 752, 753, 754 y 755;