Notas de Seguridad SAP, Q1 2019

As every quarter, we send you the review of SAP security notes, in this case the first quarter of 2019.

We have 4 different critical notes (Hot News) in this quarter although one that appears in 2 months (that’s why in total they would be 5 published) is an usual update related to the “SAP Business Client” and 6 high-level highlights, for the detailed review of 10 notes.

• The most critical note (CVSS 9.8), previous note update, is related to the component “SAP Business Client” and is a recurring note with 2 updates this quarter.

We also highlight the second most critical note (CVSS 9.4) for SAP HANA.

We have a total of 51 notes for the entire quarter, 22 less than last quarter, (39 of the Tuesday patch, 5 less than last quarter):

• In January, a total of 18 notes were published (11 in the Security Notes Tuesday – 17 new and 1 update of previous notes).
  • There are 2 “hot new” (critical) being the most significant of several vulnerabilities for the “SAP Cloud Connector” with a CVSS of 9.3, and the second for “SAP Landscape Management” with a CVSS of 9.1.
  • On the other hand we have 2 notes of high criticality (High Priority) being the maximum criticality with a CVSS of 7.3 for the “Adobe PDF Print Library”.
  • This month the most common type is “Cross-Site Scripting” (6/18 and 4/16 in patch day) and the platform with the most vulnerabilities solved is SAP Netweaver ABAP

• A total of 16 notes have been published in February (all of them, 16, in Security Notes Tuesday – 13 new and 3 updates of previous notes).
  • There are 2 “hot new” (critical) being an update of a recurring note related to the “SAP Business Client” and with a CVSS of 9.8, which will also be updated again in March. The second on the lack of an authorization check for SAP HANA with a CVSS of 9.4.
  • On the other hand we have 4 High Criticality Notes (High Priority) being the maximum criticality with a CVSS of 8.7 and another an update of a previous note.
  • This month the most common types are “Missing Authorization Check” and “Cross-Site Scripting” (3/16 in both cases).

• In March a total of 17 notes were published (12 in the Security Notes Tuesday – 14 new and 3 updates of previous notes).
  • The only “hot new” (critical) is the update of an April note related to the “SAP Business Client” with its third update so far this year and with a CVSS of 9.8. Important to install it again.
  • There are also 2 high priority notes, one very significant with a CVSS of 8.7 and the other with a CVSS of 7.6.
  • This month the most common type is “Missing Authorization Check” (6/17 and 3/12 in patch day).

In the graph (March 2019 SAP post) we can see the evolution and classification of the notes of the 3 months for the first quarter of the year (2019), in addition to the 3 months of the last quarter (only the notes of Sec. Tuesday / Patch Day – by SAP):

And in the following graph (March 2019 of ERPScan post) we can see the same evolution, but including all the notes of the month, even those published in addition to Sec. Tuesday / Patch Day ones:

El detalle completo de las notas más relevantes es el siguiente:

1. SAP Cloud Connector has several vulnerabilities (2696233): An attacker can use a missing authentication vulnerability to get access to service and read, modify or delete information. In addition, he or she could use administrative or privileged functionalities. The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks. CVSS Base Score: 9.3 / 10
2. SAP Landscape Management has an Information Disclosure vulnerability (2727624):  An attacker can use an Information disclosure vulnerability to reveal additional information (e.g., system data, debugging information, etc.) which will help to explore the system and plan other attacks. Install this SAP Security Note to prevent the risks. CVSS Base Score: 9.1 / 10
3. Adobe PDF Print Library has multiple vulnerabilities (2724788): Depending on a vulnerability, an implementation flaw can result in unpredictable behavior, issues related to system stability and safety. Patches correct configuration errors, add new functionality and improve system stability. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.3 / 10
4. SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (2654905): An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 9.8 / 10
5. SAP HANA Extended Application Services have a Missing authentication check vulnerability (2742027): An attacker can use the vulnerability for accessing a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. CVSS v3 Base Score: 9.4 / 10
6. SLD Registration of ABAP Platform has an XML External Entity (XXE) vulnerability (2729710): An attacker can use an XML External Entity vulnerability to get unauthorized access to OS filesystem. The attacker can send specially crafted unauthorized XML requests, which will be processed by the XML parser. CVSS Base Score: 8.7 / 10
7. SAP Disclosure Management has a Missing Authorization check vulnerability (2724014): An attacker can use the vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. CVSS Base Score: 8.3 / 10
8. SLD Registration of ABAP Platform has an XML External Entity (XXE) vulnerability (2764283): An attacker can use an XML External Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. The attacker can use it for getting unauthorized access to OS filesystem. CVSS Base Score: 8.7 / 10
9. SAP Disclosure Management has a Missing Authorization check vulnerability (2736825): An attacker can use an XML External Entity vulnerability to send specially crafted unauthorized XML requests which will be processed by an XML parser. The attacker can use it for getting unauthorised access to OS filesystem. CVSS Base Score: 8.3 / 10
10. SAP NetWeaver Java Application Server has a Cross-Site Scripting (XSS) Vulnerability (2689925): An attacker can use a Cross-Site Scripting vulnerability for injecting a malicious script that will help access critical information stored by the browser and used for interaction with a site. CVSS Base Score: 7.6 / 10

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para los 3 meses de este trimestre:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-enero-2019

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-febrero-2019

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-marzo-2019

Otras referencias, en inglés de SAP, Onapsis y ERPScan (en orden: Enero->Marzo):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=509151985

https://www.onapsis.com/blog/sap-patch-notes-january-2019

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-january-2019/

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=510922943

https://www.onapsis.com/blog/sap-patch-notes-February-2019

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2019/

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080

https://www.onapsis.com/blog/sap-patch-notes-march-2019

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-march-2019/

El listado completo de los sistemas/componentes afectados es el siguiente:

Recursos afectados:

• ABAP Platform, versiones Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75
• ABAP Platform (SAP Basis), versiones desde 7.0 hasta 7.02, desde 7.10 hasta 7.11, 7.30, 7.31, 7.40, desde 7.50 hasta 7.53, desde 7.74 hasta 7.75
• ABAP Platform (SLD Registration), versiones KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73; KERNEL desde 7.21 hasta 7.22, 7.45, 7.49, 7.53, 7.73, 7.75
• ABAP Server (usado en NetWeaver ySuite/ERP), versión usando Kernel 7.21 o 7.22, ABAP Server 7.00 to 7.31, usando Kernel 7.45, 7.49 or 7.53, ABAP Server 7.40 hasta 7.52 o ABAP Platform
• ABAP Server of SAP NetWeaver y ABAP Platform versiones KRNL32NUC 7.21, KRNL32NUC 7.21EXT, KRNL32NUC 7.22, KRNL32NUC 7.22EXT, KRNL32UC 7.21, KRNL32UC 7.21EXT, KRNL32UC 7.22, KRNL32UC 7.22EXT, KRNL64NUC 7.21, KRNL64NUC 7.21EXT, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64NUC 7.49, KRNL64NUC 7.74, KRNL64UC 7.21, KRNL64UC 7.21EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.49, KRNL64UC 7.73, KRNL64UC 7.74, KRNL64UC 8.04, KERNEL 7.21, KERNEL 7.45, KERNEL 7.49, KERNEL 7.53, KERNEL 7.73, KERNEL 7.74, KERNEL 7.75 y KERNEL 8.04
• Banking services desde SAP, versión 9.0
• FSAPPL, versión 5
• S4FPSL, versión 1
• SAP_BASIS, versiones desde 7.00 hasta 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
• SAP Business Client, versión 6.5
• SAP Business Objects Business Intelligence Platform Servers (Enterprise), versiones 4.2, 4.3
• SAP Business Objects Business Intelligence Platform, versiones 4.2, 4.3
• SAP Business Objects Business Intelligence Platform (BI Workspace), versión 4.10 y 4.20
• SAP Business Objects Business Intelligence Platform (CMC Module), versión 4.10, 4.20 y 4.30
• SAP Business Objects Mobile for Android, versiones anteriores a 6.3.5
• SAP Business One Mobile Android App, versión 1.2.12
• SAP BW/4HANA, versión 1.0 (SP08)
• SAP Cloud Connector, versiones anteriores a 2.11.3
• SAP Commerce (ex. SAP Hybris Commerce), versiones anteriores a 6.7
• SAP CRM WebClient UI, versiones SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31, 7.46, 7.47, 7.48, 8.0, 8.01
• SAP Disclosure Management, versión 10.01 y versión 10.01 Stack 1301
• SAP Enterprise Architecture Designer para SAP HANA, versión 1.0
• SAP Enterprise Financial Services, versiones SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20
• SAP Financial Consolidation Cube Designer, versiones BOBJ_EADES 8.0, 10.1
• SAP Gateway of ABAP Application Server, versiones SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5
• SAP HANA Extended Application Services, versión 1 y modelo avanzado (XS advanced), versión 1.0
• SAP Landscape Management, versiones VCM 3.0
• SAP Manufacturing Integration and Intelligence, versiones 15.0, 15.1 y 15.2
• SAP Mobile Platform SDK, versiones anteriores a SDK 3.1 SP03 PL02 y SDK 3.1 SP04
• SAP NetWeaver Java Application Server (J2EE-APPS), versiones desde 7.10 hasta 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50
• SAP Plant Connectivity, versiones – 15.1, 15.2
• SAP WebIntelligence BILaunchPad (Enterprise), versiones 4.10, 4.20
• SAP Work Manager, versiones Agentry_SDK 7.0, 7.1
• Solution Tools Plug-In (ST-PI); versiones 2008_1_700, 2008_1_710, 740