SAP Security Notes, September 2021

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

September 2021 notes

Summary and highlights of the month

The total number of notes/patches has increased compared to last month. In addition to this increase in the total number of notes, the number of Hot News has increased, with 3 notes last month compared to 7 in September. On the other hand, it should be noted that the number of high criticality notes decreased from 6 to 2 this month. As usual, we will leave the medium and low scores unchecked this month, but we will give details of a total of 9 scores (all those with a CVSS of 7 or higher).

We have a total of 21 notes for the whole month, 2 more than last August (19 from Patch Tuesday, 17 new and 2 updates, being 4 more than last month).

We have 5 new Hot News, being the total of 7 in this month that stand out for their high CVVS, one of them the recurring update for the SAP Business Client with Chromium. We will also review in detail 2 of the total of 2 high notes (those with CVSS greater than or equal to 7), both new.

• The two most critical notes of the month (with CVSS 10) are, on the one hand, the update of “Browser Control Chromium Delivered with SAP Business Client (2622660)” and on the other hand the new note of “Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)”.
• The next in criticality (with CVSS 9.9) are 4 notes that solve different vulnerabilities.
• From there, we find the 2 notes of high criticality (high priority) being the most relevant with a CVSS of 8.9 a new note of “HTTP Request Smuggling in SAP Web Dispatcher”. The rest (12) are of medium and low level, and we will not see them in detail, although it should be noted that there is more than one that affects SAP Business One.
• This month the most predominant types are “Missing Authorization Check” (3/21 and 2/19 in patch day) and “Information Disclosure” (3/21 and 3/19 in patch day).

In the graph (post September 2021 from SAP) we can see the classification of the September notes in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):

Full details

The full details of the most relevant notes are as follows:

1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): It provides a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 57 Chromium fixes with a maximum CVSS score of 9.6—24 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues. CVSS v3 Base Score: 10 / 10 .
2. Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service) (3078609): It patches a Missing Authorization Check vulnerability in the Java Message Service (JMS) Connector Service of an SAP NetWeaver AS JAVA system. The JMS Connector Service is an enterprise messaging system that provides a way for business applications to exchange data without needing to be directly connected to each other. The communication is obtained using messages. It allows different message models like Point-to-Point Messaging or Publish-Subscribe scenarios. Facing the integral role of the JMS Connector Service and the CVSS top score of the vulnerability, there should be no doubt that providing the corresponding patch is absolutely recommended. Otherwise, restricted data is at risk of being read, updated, or deleted. CVSS v3 Base Score: 10 / 10 (CVE-2021-37535).
3. Update – Unrestricted File Upload vulnerability in SAP Business On (3071984): It contains an updated description of a possible workaround. The note fixes an Unrestricted File Upload vulnerability in SAP Business One and was initially released on SAP’s August Patch Day. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-33698).
4. SQL Injection vulnerability in SAP NZDT Mapping Table Framework (3089831): It patches SQL Injection vulnerabilities in no less than 25(!) RFC-enabled function modules of the Near Zero Downtime (NZDT) Mapping Table framework used during system upgrades and migrations. An improper input sanitization allows an authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database. This note provides a patch for this vulnerability which leads to a complete or partial deactivation of the affected function modules. As a workaround, customers with activated Unified Connectivity (UCON) runtime checks can also deactivate the affected function modules manually. Important: Independent of which method is used to patch the vulnerabilities, they both result in making the product SAP Test Data Migration Server unusable. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-38176).
5. Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) (3084487): It affects SAP Visual Composer, a tool that allows business process designers to model applications and prototypes without writing a single line of code. Due to an Unrestricted File Upload vulnerability, a non-administrative user can upload a malicious file over a network and trigger its processing which can run operating system commands with the privilege of the Java Server process. According to this note attackers could read and modify any information on the server or shut down the server, making it unavailable. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-38163).
6. Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms) (3081888): An XSLT vulnerability allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. The vulnerability is fixed with this note, tagged with a CVSS score of 9.9, and only the fact that it requires a minimum authorization to exploit the vulnerability prevents it from being another 10.0 on SAP’s September Patch Day. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-37531).
7. Multiple vulnerabilities in SAP Contact Center (3073891): It patches OS Command Injection and Reflected Cross-Site Scripting vulnerabilities in the chat application of SAP Contact Center. Due to missing encoding in SAP Contact Center’s Communication Desktop component, an attacker could inject a malicious script into a chat message. When the message is accepted by the chat recipients, the script gets executed in their scope. Due to the involvement of ActiveX controls in the application, the attacker can further execute operating system level commands in the chat recipients’ scope. According to SAP, this could lead to complete compromise of their confidentiality and integrity, and could also temporarily impact their availability. CVSS v3 Base Score: 9.6 / 10 (CVE-2021-33672).
8. HTTP Request Smuggling in SAP Web Dispatcher (3080567): It patches an HTTP request smuggling vulnerability in SAP Web Dispatcher. HTTP request smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. SAP users send requests to a SAP Web Dispatcher (SAP WDP) and SAP WPD forwards these requests to one or more ABAP, JAVA, or HANA back-end servers. In this situation, it is crucial that the SAP WDP and the back-end systems agree about the boundaries between requests. Otherwise, an attacker might be able to send an ambiguous request that gets interpreted differently by the SAP WDP and the back-end systems. The HTTP specification provides two different methods for specifying the length of HTTP messages. It is possible for a single message to use both methods at once. Under certain circumstances, the SAP WDP and the back-end systems do not use the same method to interpret the length of an HTTP message. Thus, an attacker could send messages that use both methods and provide different information that conflicts with each other. As a result, the back-end system is not able to clearly identify and separate each individual message. This could be leveraged by an attacker to gain control of requests issued by other users, and even obtain sensitive information by retrieving the victim’s requests and responses. CVSS v3 Base Score: 8.9 / 10 (CVE-2021-38162).
9. Null Pointer Dereference vulnerability in SAP CommonCryptoLib (3051787): It patches a Null Pointer Dereference vulnerability in SAP CommonCryptoLib. An unauthenticated attacker could send specially-crafted malicious HTTP requests over the network, leading to a memory corruption that ends up in a Null Pointer Dereference. This causes the SAP application to crash and has a high impact on the availability of the SAP system. CVSS v3 Base Score: 7.5 / 10 (CVE-2021-38177)

Reference links

Reference links of the CERT of the INCIBE in relation to the publication of the notes for September:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-septiembre-2021

Other references, from SAP and Onapsis (September):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

https://onapsis.com/blog/sap-security-patch-day-september-2021

Resources affected

• SAP 3D Visual Enterprise Viewer, versión 9.0.
• SAP Analysis for Microsoft Office, versión 2.8;
• SAP Business Client, versión 6.5, 7.0 y 7.70;
• SAP Business One, versión 10.0;
• SAP BusinessObjects Business Intelligence Platform (BI Workspace), versión 420;
• SAP Contact Center, versión 700;
• SAP ERP Financial Accounting (RFOPENPOSTING_FR):
  • SAP_APPL, versión 600, 602, 603, 604, 605, 606 y 616;
  • SAP_FIN, versión 617, 618, 700, 720 y 730;
  • SAPSCORE, versión 125, S4CORE, 100, 101, 102, 103, 104 y 105;

• SAP Landscape Transformation, versión 2.0;
• SAP LT Replication Server, versión 2.0 y 3.0;
• SAP LTRS for S/4HANA, versión 1.0;
• SAP NetWeaver:
  • (Visual Composer 7.0 RT), versión 7.30, 7.31, 7.40 y 7.50;
  • Application Server Java (JMS Connector Service), versión 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
  • Enterprise Portal, versión 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
  • Knowledge Management XML Forms, versión 7.10, 7.11, 7.30, 7.31, 7.40 y 7.50;

• SAP S/4HANA, versión 1511, 1610, 1709, 1809, 1909, 2020 y 2021;
• SAP Test Data Migration Server, versión 4.0;
• SAP Web Dispatcher:
  • WEBDISP, versión 7.49, 7.53, 7.77 y 7.81;
  • KRNL64NUC, versión 7.22, 7.22EXT y 7.49;
  • KRNL64UC, versión 7.22, 7.22EXT, 7.49 y 7.53;
  • KERNEL, versión 7.22, 7.49, 7.53, 7.77, 7.81 y 7.8;