SAP Security Notes, Q2 2020

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

Today we bring you the update of the Q2 2020 SAP security notes.

Q2 2020 notes

Summary and highlights of the quarter

The trend that we had of a lower number of notes/patches, in this quarter and since April has been reversed, not only because it is the quarter with the highest number of notes than in recent years, but also the one with the highest number of critical notes that we can remember, with a total of 11. High scores are also a very significant number, with a total of 17 in the quarter. In effect, in this review we will leave the average notes without review as always, but we will even exclude some of the lower CVSS registrations, and in spite of it we will give detail of a total of 22 notes (all those that have a CVSS of 7. 5 or greater), appearing a review of SAP BO by duplicate when published in April and updated in May.

We have 13 unique critical notes (Hot News), with a total of 12 this quarter, one of which is the recurring update for the SAP Business Client with Chromium with 1 appearance and a review of SAP BO that appears in April and is updated in May. We will also review in detail 9 of the total 17 high scores (those of CVSS greater than or equal to 7. 5) for the review in detail of 22 different scores.

• The 2nd most critical note of the year (CVSS 9. 9) related to code injection affecting any ABAP application server (ABAP AS).
• The next in criticality (CVSS 9. 8) are four, one is the usual “Browser Control Chromium Delivered with SAP Business Client (2622660)” which appears in May and for the 3rd time in the year; and then we have one from SAP BO Business Intelligence Platform in May and two in April; one from Apache Tomcat, which affects SAP Liquidity Management for Banking, vulnerability known as “Ghostcat”; and another for SAP Commerce due to the use of default credentials (in administrator account).
• From there, we have a 9. 0 CVSS review and another one with 9. 3 and the rest (5) are placed in a 9. 1 CVSS.
• Of the high level ones, perhaps we should point out that there are 2 for SAP Solution Manager with CVSS of 8. 6 and 8. 1 respectively.

We have a total of 81 notes for the entire quarter, 42 more than last quarter – more than double, (66 of the Tuesday patches, 36 more than last quarter):

• A total of 29 notes were released in April (26 in the Security Notes Tuesday – 23 new and 3 updates to previous notes), the highest number in a month so far this year.
  • We also have a total of 5 “hot news” (critical), which we have not seen in the same month since December 2014, focused on the following platforms: SAP Portal, SAP Commerce, SolMan and SAP Host Agent. 4 of the notes have a CVSS of 9. 1, but the most critical one reaches a CVSS of 9. 3
  • There are also 5 high priority notes, being the most relevant one with a CVSS of 8. 6 the one that affects SAP Solution Manager (SolMan).
  • The rest are medium level and we will not see them in detail, although it is worth noting that SAP BusinessObjects is the most affected platform this month, with a total of 8 notes (1 critical, 2 high and 5 medium).
  • This month the most predominant types are “Cross-Site Scripting (XSS)” (7/29 and 7*/26 in patch day) and “Missing Authorization Check” (6/29 and 3/26 in patch day).
• A total of 29 notes have been published in May, just like last month’s record of the year (22 in the Security Notes Tuesday – 18 new and 4 updates of previous notes).
  • We have a total of 6 “hot news” (critical), 4 new ones highlighting the highest level of the entire quarter with CVSS 9. 9, although there is also one for SAP BO with CVSS 9. 8. Of the two updates, one is the great classic “Browser Control Chromium Delivered with SAP Business Client (2622660)”, with its CVSS of 9. 8, with its 3rd appearance so far this year and the other is an update of the critical note of SAP BO of April. An even greater number of critical notes than last month, although we would only have 4 new ones.
  • There are also 7 notes of high criticality (high priority) the most relevant with a CVSS of 8. 8 that through SQL Injection allows the violation of the SAP ASE (Adaptive Server) system. The remaining scores (16) are all averages and the platform highlighted this month is SAP Adaptive Server Enterprise (SAP ASE) with a total of 7 scores (2 critical, 3 high and 2 average).
  • This month the most predominant types are “Information Disclosure” (6/29 and 3/22 in patch day) and “Missing Authorization Check” (4/29 and 3/22 in patch day).
• A total of 23 notes were published in June (18 in the Security Notes Tuesday – 17 new and 1 update of a previous note).
  • We have a total of 2 “hot news” (critical), being one from Apache Tomcat, which affects SAP Liquidity Management for Banking, vulnerability known as “Ghostcat”; and another one for SAP Commerce due to the use of default credentials (in administrator account). Both with a CVSS of 9. 8.
  • There are also 5 high priority notes, the most relevant being also for SAP Commerce with a CVSS of 8. 6. The rest (16) are medium level notes. The most affected application this month was SAP Commerce.
  • This month the most predominant types are “Missing Authorization Check” (6/23 and 2/18 in patch day) and “Information Disclosure” (4/23 and 3/18 in patch day).

In the graph (post June 2020 of SAP) we can see the evolution and classification of the notes of the 3 months of the second quarter of the year (2020), in addition to the 3 months of the last quarter (only the notes of the Sec. Tuesday / Patch Day – by SAP):

Full details

The full details of the most relevant notes are as follows:

1. Missing XML Validation Vulnerability in SAP Commerce (2904480): SAP Hybris is an eCommerce Java-based platform that provides solutions for B2B and B2C commerce, among others. This vulnerability is present in SAP Hybris with a default configuration and exploitable by a remote unauthenticated attacker. It could potentially allow a malicious agent to read sensitive files and data from the system and even affect availability (in some limited scenarios). SAP has provided patches for both SAP Hybris on-prem implementations as well as SAP Commerce Cloud. CVSS v3 Base Score: 9.3 / 10 (CVE-2020-6238).
2. Directory Traversal Vulnerability in SAP NetWeaver (Knowledge Management) (2896682): this vulnerability is a Path Traversal present in SAP NetWeaver Knowledge Management, which is a centralized access point for distributed repositories of files along the systems. It lets users navigate through folders, create, delete files, etc. In all these functionalities, a user can upload files. If unpatched, the system does not sufficiently validate input and therefore may allow a potential attacker to overwrite, delete or corrupt arbitrary files on the remote server. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-6225).
3. Update 2 to Security Note 2808158: OS Command Injection vulnerability in SAP Diagnostics Agent (2839864): In this latest update, SAP updated the ‘Attachments’ section adding a correction in one of the files attached to the note. If you want to better understand the scope and severity of this vulnerability, you can read previous post regarding the original note (Q3 2019). We can confirm that this latest update is a minor one, that improves attachments for customization of the protection after the patch. Customers who have applied the March fix are protected against critical exploitation of this vulnerability.. CVSS v3 Base Score: 9.1 / 10 (CVE-2019-0330).
4. Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer) (2863731): This notes appears in April and then it is updated in May. It describes the possibility of a remote command execution caused by a deserialization attack in SAP BusinessObjects Business Intelligence Platform. Parameters of a specific component can be manipulated in order to inject deserialized content. The provided fix enables data encryption for the traffic between client and server so that it can no longer be read. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-6219).
5. Code Injection vulnerability in SAP OrientDB 3.0 (2900118): It fixes a Code Injection vulnerability in SAP OrientDB 3.0. SAP OrientDB is a multi-model, graph-based, no-SQL database that SAP acquired from Callidus Software Inc. in 2018. Because an attacker requires authentication and script execution privileges the level vulnerability is not the highest. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-6230).
6. Missing authentication check in SAP Solution Manager (Diagnostics Agent) (2906994): It fixes a missing authentication check in SAP SolMan, which may allow an attacker to read sensitive information or even access administrative or other privileged functionalities abusing the lack of an authentication check-in a component. This vulnerability, despite being a little bit less critical (CVSS vector-only affects confidentiality), has some similarities with the one patched in SAP Security Note #2890213, HotNews that was previously released in March 2019. Both vulnerabilities allow an unauthenticated attacker to get privileged access to SolMan and, combined with other vulnerabilities, post-exploitation alternatives include critical scenarios for affected customers if attacked. CVSS v3 Base Score: 8.6 / 10 (CVE-2020-6235).
7. Update to Security Note: Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports) (2861301): While this vulnerability also allows the remote execution of code with an even higher impact on the application’s confidentiality and integrity, unlike #2863731, this vulnerability requires user interaction and therefore the CVSS is lower in this case. CVSS v3 Base Score: 8.1 / 10 (CVE-2020-6208).
8. Information Disclosure in SAP Business Objects Business Intelligence Platform (dswsbobje Web Application) (2898077): It fixes an Information Disclosure vulnerability. A non-authenticated user could exploit this vulnerability with CVSS of 7.5 in a certain web application of SAP BusinessObjects in order to gain information that can be then used for further exploits and/or attacks. CVSS v3 Base Score: 7.5 / 10 (CVE-2020-6237).
9. Code Injection vulnerability in Service Data Download (2835979): Due to an insufficient input validation in a remote-enabled function module that dynamically generates code, an attacker can take complete control of any SAP NW ABAP system that is connected to a Solution Manager (SolMan) system. Only the fact that an attacker needs a minimum level of authorizations to exploit this vulnerability has prevented it from receiving a CVSS of 10.0. Fortunately, there are no manual steps involved in the provided fix. Strong recommendation in applying the corresponding patch as soon as possible is given. CVSS v3 Base Score: 9.9 / 10 (CVE-2020-6262).
10. Update – Security Updates for the Browser Control Chromium Delivered with SAP Business Client (2622660): This note addresses multiple vulnerabilities in the third-party web browser control Chromium, which is used in SAP Business Client and is periodically updated based on web browser updates. Since exploits for third-party tools are more common than exploits that are SAP-specific, which tend to be more targeted and selective, it is important to keep this note installed with every update to stay secure. These patches provide support for Chromium version 81.0.4044.92. CVSS v3 Base Score: 9.8 / 10
11. Missing Authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect) (2885244): It describes a scenario that leads to a missing authentication vulnerability. Thanks to the unchanged scope in case of an exploit, the CVSS is “only” 9.8. CVSS v3 Base Score: 9.8 / 10 (CVE-2020-6242).
12. Code injection in SAP Adaptive Server Enterprise (Backup Server) (2917275): SAP Adaptive Server Enterprise (ASE) Backup Server does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection. SAP ASE is one of the SQL database servers supported by SAP business applications. It uses a relational data management model and provides on-premises as well as cloud deployment options. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-6248).
13. Information Disclosure in SAP Adaptive Server Enterprise (Cockpit) (2917090): Under certain conditions SAP Adaptive Server Enterprise (ASE) Cockpit allows an attacker to access sensitive and confidential information through local network which would otherwise be restricted. It could be used to get user account credentials, tamper with system data and impact system availability. Some well-known impacts of Information Disclosure are: 1) loss of information and system configuration confidentiality; 2) information gathering for further exploits and attacks. SAP ASE is one of the SQL database servers supported by SAP business applications. It uses a relational data management model and provides on-premises as well as cloud deployment options. CVSS v3 Base Score: 9.0 / 10 (CVE-2020-6252).
14. SQL Injection vulnerability in SAP Adaptive Server Enterprise (2916927): The note provides fixing SQL Injection vulnerabilities that can lead to an escalation of privileges and thus allowing authenticated users to execute commands that they are otherwise not allowed to execute. CVSS v3 Base Score: 8.8 / 10 (CVE-2020-6241).
15. Information Disclosure in SAP Landscape Management (2903743): A disclosure vulnerability exists in the enterprise edition or standard edition of SAP Landscape Management that would allow an authenticated user with high privilege to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification. The information disclosed are the credentials. The disclosed information can only be accessed by authenticated users with high privileges (J2EE administrator), but they can escalate their privileges to other systems. CVSS v3 Base Score: 8.7 / 10 (CVE-2020-6243).
16. Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform) (2915585): SAP Adaptive Server Enterprise (XP Server on Windows Platform) does not perform the necessary checks for an authenticated user while executing the extended stored procedure. Under certain conditions, the impact of this code injection is that the potential attacker can read, modify and delete restricted data on connected servers. CVSS v3 Base Score: 8.0 / 10 (CVE-2020-6243).
17. SQL Injection vulnerability in SAP Master Data Governance(MDG) (2908560): The use of an admin backend report from within MDG allows an attacker to execute crafted database queries, exposing the backend database. Some well-known impacts of SQL Injection vulnerability are: 1) Read sensitive data; 2) Execute admin level operations on database. CVSS v3 Base Score: 7.7 / 10 (CVE-2020-6249).
18. ‘Ghostcat’ Apache Tomcat AJP Vulnerability in SAP Liquidity Management for Banking (2928570): Due to a known vulnerability in Apache Tomcat, called “Ghostcat,” SAP strongly recommends disabling all ports using the Apache JServ Protocol (AJP Protocol). While the note points out the risk of a remote code execution, the description of the corresponding vulnerability mentions that “AJP connections…can be exploited in ways that may be surprising.” The latter statement, together with the CVSS score of 9.8, should be reason enough to disable all AJP ports. If customers absolutely need the AJP protocol in their scenario, the note recommends to set the required secret attribute in the configuration of the AJP connector. CVSS v3 Base Score: 9.8 / 10 (CVE-2020-1938).
19. Use of Hard-coded Credentials in SAP Commerce and SAP Commerce Datahub (2918924): It addresses hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub. This problem can be found in many software products because the products use some built-in accounts with publicly known passwords and do not force the administrators to change these passwords during or after installing the application. For example, every SAP Basis person knows the owners of “6071992” or “admin” passwords. SAP has now solved the problem for SAP Commerce and SAP Commerce Data Hub. After applying the patch, a new installation of SAP Commerce will only activate the built-in “admin” account. The installer is forced to maintain an initial password for that account. Other built-in users are still created during installation, but they are inactive until an individual password is set for these accounts. The later rule also applies to all built-in users of SAP Commerce Data Hub. An important fact is that the patches only affect new installations of SAP Commerce (Data Hub). They do not remove default passwords from built-in accounts of existing installations. As one option to achieve this, the note proposes to re-initialize the SAP Commerce installation after applying the patch, an option that likely does not apply to most customers. Therefore, the note also provides a Disabling All Default Passwords for Users Guide to remove the default passwords from all built-in accounts. CVSS v3 Base Score: 9.8 / 10 (CVE-2020-6265).
20. Information Disclosure in SAP Commerce (2906366): It fixes an Information Disclosure vulnerability in SAP Commerce. Under a specific configuration of some property values, a malicious user could exploit insecure features of the login-form to gain information that could be used for further exploits and attacks. Some of the required property values are even set by default. CVSS v3 Base Score: 8.6 / 10 (CVE-2020-6264).
21. Missing XML Validation in SAP Solution Manager (Problem Context Manager) (2931391): It describes a Missing XML Validation vulnerability in Problem Context Manager. While an exploit has only a minor impact on the system’s confidentiality, it can have a serious impact on the system’s availability. CVSS v3 Base Score: 8.2 / 10 (CVE-2020-6271).
22. Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP (2912939): It fixes a vulnerability in the architecture of the batch input process allowing a malicious user to grab user credentials. Although the impact on the system’s integrity, confidentiality and availability is high, the CVSS score is “only” 7.6 as the attack complexity is high and it also needs admin privileges on MS SQL Server as well as batch input authorizations in SAP in order to successfully exploit the vulnerability. CVSS v3 Base Score: 7.6 / 10 (CVE-2020-6275).

Reference links

Reference links of the CERT of the INCIBE in relation to the publication of the notes for the 3 months of this quarter:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-abril-2020

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-mayo-2020

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-junio-2020

Other references, from SAP and Onapsis (in order: July->September):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202

https://onapsis.com/blog/sap-security-notes-april-2020

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222

https://onapsis.com/blog/sap-security-notes-may-2020

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

https://onapsis.com/blog/sap-security-notes-june-2020

Resources affected

• Adobe LiveCycle Designer, versión 11.0;
• SAP Adaptive Extensions, versión 1.0;
• SAP Adaptive Server Enterprise, versiones 15.7 y 16.0;
• SAP Adaptive Server Enterprise (Backup Server), versión 16.0;
• SAP Adaptive Server Enterprise (Cockpit), versión 16.0;
• SAP Adaptive Server Enterprise (XP Server on Windows Platform), versiones 15.7 y 16.0;
• SAP Adaptive Server Enterprise (Web Services), versiones 15.7 y 16.0;
• SAP Application Server ABAP, versiones 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710 y 740;
• SAP Business Client, versiones 6.5 y 7.0;
• SAP Business Objects Business Intelligence Platform, versiones anteriores a la 4.1, 4.2 y 4.3;
• SAP Business Objects Business Intelligence Platform, versiones 4.1, 4.2 y 4.3;
• SAP Business Objects Business Intelligence Platform (CMC y BI launchpad), versión 4.2;
• SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versiones 4.1 y 4.2;
• SAP Business Objects Business Intelligence Platform (Live Data Connect), versiones 1.0, 2.0 y 2.x;
• SAP Business One (Backup service), versiones 9.3 y 10.0;
• SAP Commerce, versiones 6.6, 6.7, 1808, 1811 y 1905;
• SAP Commerce (Data Hub), versiones 6.7, 1808, 1811 y 1905;
• SAP Diagnostic Agent (LM-Service), versión 7.20;
• SAP Enterprise Threat Detection, versiones 1.0 y 2.0;
• SAP ERP, versiones 618, 730 y EAPPLGLO 607;
• SAP ERP (Statutory Reporting for Insurance Companies), versiones EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 y 800, y S4CORE 101, 102, 103 y 104;
• SAP Fiori for SAP S/4HANA, versiones 200, 300, 400 y 500;
• SAP Fiori Launchpad, versiones 753 y 754.
• SAP Gateway, versiones 7.40, 2.00, 7.5, 7.51, 7.52 y 7.53;
• SAP Host Agent, versión 7.21;
• SAP Identity Management, versión 8.0.
• SAP Landscape Management, versión 3.0;
• SAP Liquidity Management for Banking, versión 6.2;
• SAP Master Data Governance, versiones S4CORE 101; S4FND 102, 103 y 104; SAP_BS_FND 748; y versiones 748, 749, 750, 751, 752, 800, 801, 802, 803 y 804;
• SAP NetWeaver:

• • Knowledge Management, versiones 7.00, 7.01, 7.02, 7.30, 7.31, 7.40 y 7.50;
  • AS (Application Server) Java (HTTP Service), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
  • AS ABAP, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 75A, 75B, 75C, 75D y 75E;
  • AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE), versiones 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 y 754;
  • AS ABAP (Banking Services), versiones 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D y 75E;
  • AS ABAP (Web Dynpro ABAP), versiones SAP_UI 750, 752, 753 y 754; SAP_BASIS 700, 710, 730, 731 y 804;
• SAP NetWeaver AS JAVA (P4 Protocol), versiones:
  • CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
  • SAP-JEECOR 7.00 y 7.01;
  • SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
• SAP OrientDB, versión 3.0;
• SAP Plant Connectivity, versiones 15.1, 15.2, 15.3 y 15.4;
• SAP S/4 HANA, versiones 100, 101, 102, 103, 104, FSAPPL 400, 450, 500 y S4FPSL 100;
• SAP Solution Manager (Diagnostics Agent), versión 7.2;
• SAP Solution Manager (Problem Context Manager), versión 7.2;
• SAP Solution Manager (Trace Analysis), versión 7.20;
• SAP SuccessFactors Recruiting, versión 2005