Onapsis Research Lab, a global leader in application-focused cybersecurity, develops solutions to protect SAP and Oracle E-Business Suite (EBS) systems. Founded in 2009 in Argentina, Onapsis is now headquartered in Boston, Massachusetts, with operations around the globe, serving more than 300 of the world’s leading brands and organizations, including many of the Global 2000.
Onapsis Research Labs’ research report on Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Application Server Java that can lead to business disruption by shutting down the system made it to the list of August’s SAP Security Notes. The released patch updates last 13 of August that included several fixes in three SAP Security Notes tagged as HotNews (the most critical in terms of priority) affect several products such as SAP NetWeaver Application Server for Java, SAP NetWeaver UDDI Server (based on SAP AS JAVA too) and SAP Commerce Cloud (former SAP Hybris Commerce).
This month’s release is highly important and demands urgent action, considering that the last time SAP published three HotNews on the same day was in 2014. A total of 23 SAP Security Notes were released during August’s Patch Day.
Alongside with Onapsis findings on the critical bugs that include a vulnerability rated with a CVSS score of 9.9, a fourth HotNews was also reported, which is a re-released note published late last month out of schedule. The two fixes affecting SAP Java platforms allow unauthenticated attackers to run remote command executions and potentially disrupt systems operations by shutting it down or collapsing its resources. A disruption in the SAP Java systems that usually host web applications and consumed by users regularly can present a severe economic impact in the organization.
Onapsis’ HotNews: SAP Security Note # 2813811
The HotNews on critical vulnerability found and reported by Onapsis is tagged as SAP Security Note #2813811. It is aptly titled “Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for Java” has a CVSS of 9.0, since a potential attacker may access the Management Console for SAP Java systems (by stealing user credentials). Total disruptions of the JAVA Web Portals, including data access (espionage, leaks) or data modification is highly probable when unauthenticated users gain access as administrators of the Management Console. This means that unauthenticated users may convert to SAP Management Console users.
The SAP Management Console provides a way for centralized system management. According to SAP documentation, an administrator (among others) using this tool can:
· Monitor and control (start, stop, or restart) the SAP system and its instances
· Display SAP log and trace files, start profiles, instance parameters, the system environment, SAP environment, Internet Communication Manager (ICM) queue statistics, and more
· Display and control Java processes
According to Onapsis, the good news is that despite the possibility of the identified vulnerability to be exploited, there are still a few things that may ensure protection other than installing the patch.
The two other potential protection scenarios (even if the component is vulnerable) are as follows:
· The bug cannot be exploited if the system is configured by default. This means that an attacker won’t be able to exploit it if the code is patched. Unfortunately, the not-default configuration that allows successful exploitation of this attack is recommended as a fix by SAP in several publications, such as SAP Knowledge Base Articles #2577844, #2542492, #2510099, #2506964, and #2820566, among others.
· You are not at risk if you have limited access through HTTP port. Setting up ACL files to deny all connections but localhost does this. This behaves as a workaround (again, you should still patch the component for the future, but the urgency is not the same).
Nahuel Sanchez was the Lead Security Researcher of Onapsis credited by SAP for the collaboration this month.
Other August HotNews
SAP Security Note #28000779
SAP has published a Security Note with a CVSS of 9.9 for the first time this year. This SAP Security Note titled “Remote Code Execution (RCE) in SAP Netweaver UDDI Server (Services Registry)” warns that attackers can take advantage of a buffer overflow vulnerability to inject code into the working memory.
SAP Security Note #2786035
Code injection is also the subject of the CVSS of 9.0 titled this note as “Code injection vulnerabilities in SAP Commerce Cloud”. The described vulnerabilities affect two extensions used with the SAP Commerce Cloud solution.
SAP Security Note #2622660
Delivered with SAP Business Client during SAP’s July patch day, SAP has again published the tenth update of SAP Security Note #2622660, “Security updates for the browser control Google Chromium” note on July 23rd. New patches for SAP Business Client have been released that include release 75.0.3770 of the Chromium browser control, fixing 47 security issues in total. In this context, we would like to point out that support for release 6.5 of SAP Business Client has been changed from full to restricted support since the beginning of April 2019.
High Priority Notes in SAP HANA and Kernel
A first in 2019, SAP has also released two High Priority Security Notes last August 13 comprising the six critical fixes.
SAP HANA database-related SAP Security Note #2798243
Rated with a CVSS of 7.5, the first High Priority vulnerability, this Note, allows an attacker to send malformed connection requests to the SAP HANA instance, which crashes the related index server. Long response times, service interruptions and low availability of services that all lead to the poor user experience is typical symptoms of a DoS attack.
SAP Kernel-related SAP Security Note #2798743
Rated with a CVSS of 7.2 (CVE-2019-0349), this Note fixes a Missing Authorization vulnerability in an SAP kernel package and thus preventing attackers from unauthorized information disclosure and data manipulation.
In summary, the types of vulnerabilities identified in this month’s Patch Day are Remote Code Execution, Missing Authorization Check, Cross-Site Scripting and Clickjacking. Onapsis concludes that the August Patch Day reinforces the importance of keeping your systems up to date taking into account the wide range of attack vectors exploitable in various SAP platforms as demonstrated in the four HotNews and two High Priority Security Notes.
From this perspective, the Onapsis Platform can facilitate a vulnerability and compliance check with the Missing Notes Module, giving a clear picture of the relevant notes that are currently missing in your SAP landscape.