As every quarter, we analyze the security notes published by SAP, in this case, we will analyze those of the first quarter of 2018.
We do not have critical notes (Hot News) in this quarter, therefore, we will focus the review on the 11 high-level notes.
- It is necesary to highlight that the two highest notes of the quarter (CVSS of 8.8 and 8.3 respectively) are related to the component: SAP Internet Graphics Server (IGS).
- The third note, which equals in rating to the second (that is CVSS of 8.3.) Is related with the “Missing Authorization Check” in the component: “SAP NetWeaver System Landscape Directory”.
SAP Security Notes T1 2018
We have a total of 63 notes for the entire quarter (31 of the tuesday patches):
- In January a total of 10 notes were published (7 in the Security Notes Tuesday – 3 new and 4 updates of previous notes).
- In this month there are no “hot news” (critical) or with high criticality (high priority), in fact, in the Patch Day we only have middle level notes (7) to which we add 2 means and 2 losses in the full month.
- We will focus on 4 mid-level notes, those with a CVSS value greater than 6, which actually reduce to 2, since 3 of them (“1906212”, “2278931” and “2525392”) are related to a problem of Code Injection (“Code injection vulnerability in Knowledge Provider”) and related to each other with the same CVSS of 6.5.
- Finally, we highlight a note from Solution Manager in relation to a design error in a role (authorizations) with CVSS of 6.3. This month the most predominant type is “Missing Authorization Check” (4/10 and 1/7 in patch day), followed by code injection – “Code Injection” (3/10 and 3/7 in patch day).
- In February a total of 26 notes were published (14 on the Security Notes Tuesday – 11 new and 3 updates of previous notes).
- In this month there are no “hot news” (criticism), but there are a total of 5 critical (high priority)
- Again, the most predominant type is “Missing Authorization Check” (7/26 and 2/14 in patch day), followed by “Cross-Site-Scripting – XSS” (5/26 and 3/14 in patch day) .
- In March a total of 27 notes were published (10 in the Security Notes Tuesday – 8 new and 2 updates of previous notes).
- In this month there are no “hot news”, but there is a total of 6 critical(high priority), 3 of Patch Day, one of the latter being the most relevant note of the quarter with a CVSS of 8.8.
- The most important note, as in February, is related to the component: SAP Internet Graphics Server (IGS) and in this case with 3 different related vulnerabilities (3 CVEs).
- The most predominant type is “Missing Authorization Check” (6/27 and 1/10 in patch day), followed very closely by “Information Disclosure” (5/27 and 4/10 in patch day ).
In the following graph (post March 2018 of SAP) we can see the evolution and classification of the notes of the 3 months of the first quarter of the year (2018), in addition to the 3 months of the last quarter (only the notes of Sec. Tuesday / Patch Day – by SAP)
Relevant Notes Summary
- SAP Knowledge Provider has an ABAP code injection vulnerability (2525392): Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack. Install this SAP Security Note to prevent the risks. This note is related to other 2 already mentioned (“1906212”, “2278931”). CVSS v3 Base Score: 6.5 / 10
- SAP Solution Manager 7.2 has an Improper Role Authorizations vulnerability (2507934): Perpetrators can use Improper Role authorizations redundant right to edit all tables on the server. This can lead to compromising data. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 6.3 / 10
- SAP Internet Graphics Server (IGS) has an Security vulnerabilities (2525222): Depending on the vulnerability (from the 13 CVE vulnerabilities in reference), attackers can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result or use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. and another vectors. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.3 / 10
- A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (2565622): An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks. CVSS v3 Base Score: 8.3 / 10
- SAP HANA Extended Application Services has an Security vulnerabilities (2525222): An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Up to 7 different vulnerabilities has been referenced (CVE), however a total of 8 vulnerabilities are related according to the report from the company who found the issues. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.1 / 10
- SQL-injection vulnerability in the component BC-UPG (1584573 and 1977547): These notes are a re-release of an old note published as far back as 2011. It concerns an SQL-injection vulnerability in the component BC-UPG. The latter mentioned note is auxiliary to the first, in that it supplements correction instructions for it. It was also released before, in 2014. The supplement is only relevant for newly installed systems, or systems which have never been changed using Software Update Manager 1.0 or 2.0 in the years since the first note was created. SAP found that the correction instructions were not fitting in all situations, which led to the creation of the auxiliary note. We advise you to take this opportunity to review the necessity of the note for your specific situation. CVSS v3 Base Score: Check SAP Portal (High and therefore >= 7 / 10)
- Open Source Software Security Vulnerabilities in SAP Internet Graphics Server (IGS)” (2538829): Depending on the vulnerability (again 3 different CVEs are referenced), attackers can exploit a Denial of service vulnerability for terminating a process of vulnerable component. Nobody can use this service. This fact has a negative influence on business processes and business reputation as result. In the note, SAP addresses vulnerabilities in libtiff, giflib and libpng, all of which are third-party open source libraries which handle images (TIFF, GIF and PNG, respectively). The vulnerabilities in these libraries have been around for over a decade. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.8 / 10
- Potential Information Disclosure in SAP HANA Capture & Replay Trace File (2587369): An attacker can use an Information disclosure vulnerability to learn about a system and to plan other attacks. This note addresses credentials that are stored in clear text in the indexserver trace files of a system using the optional capture & replay functionality of SAP HANA. An attacker would need to obtain TRACE_ADMIN or CATALOG READ authorization to display the indexserver trace files. Besides updating the software to later versions, two manual workarounds are provided to immediately eliminate the threat. CVSS v3 Base Score: 7.6 / 10
- Information Disclosure vulnerability in SAP BPA BY REDWOOD (2596535): An attacker can use it to reveal additional information (e.g. system data, debugging information, etc.) that aids in learning about a system and planning more severe attacks. CVSS v3 Base Score: 7.5 / 10
- Denial of Service (DOS) in GWJPO (2604541): Here we see another example of a vulnerable third-party open source library ending up causing a security flaw in SAP. In this case, the vulnerable software is Apache CXF; an open source services framework helping developers build services using frontend programming APIs like JAX-WS and JAX-RS. GWJPO is using a particular vulnerable CXF servlet, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. CVSS v3 Base Score: Check SAP Portal (High and therefore >= 7 / 10)
- SQL Injection Vulnerability in FI-LOC-FI-RU (2331141): User input was not sufficiently screened and sanitized by this component; therefore it was possible for users to submit improper data and inject dangerous SQL-statements, exposing the backend database and its sensitive content. CVSS v3 Base Score: Check SAP Portal (High and therefore >= 7 / 10)
- Cross-Site Scripting (XSS) Vulnerability in SAP CRM WebClient UI (2595262): It’s not uncommon for an XSS vulnerability to be found in the SAP CRM WebClient UI. This note seems to acknowledge that fact by referencing previously released SAP notes concerning XSS in the CRM Webclient UI. The difference is that this one is of a more critical nature then others reported before. The referenced notes are required to be patched as a prerequisite. CVSS v3 Base Score: Check SAP Portal (High and therefore >= 7 / 10)