Notas de Seguridad SAP, Q4 2018

Hoy, retomamos una de nuestras publicaciones trimestrales; la revisión de las notas de seguridad de SAP. Empezamos con último trimestre del 2018, y en próximas publicaciones continuaremos con las notas SAP del 2019.

Tuvimos 5 notas críticas (Hot News) en el último trimestre del año 2018, con lo cual fue muy importante, debido a la criticidad de las notas. Por esta razón damos el detalle de un total de 16 notas, a pesar de que 3 de ellas reciben actualización dentro del mismo trimestre (es decir estaríamos hablando de un total de 19 notas entre críticas y altas). Destacamos:

  • La vulnerabilidad más crítica del trimestre: en SAP HANA Streaming Analytics que permitiría a un atacante la ejecución remota de código con los mismos permisos (muy elevados) que el servicio que los ejecuta. CVSS de 9.9
  • La primera nota crítica para “SAP BusinessObjects BI Suite” desde hace más de 6 años. CVSS de 9.8
  • Y  la clásica de “SAP Business Client”, con 6 actualizaciones a lo largo del 2018 (CVSS 9.8).

 

Tenemos un total de 53 notas para todo el cuarto trimestre del 2018, 30 menos que el pasado trimestre, (41 de los patch Tuesday, 3 menos que el pasado trimestre):

  • En Octubre de 2018 se han publicado un total de 20 notas (15 en el Security Notes Tuesday – 11 nuevas y 4 actualizaciones de notas anteriores). El 40% de las notas (8 notas) afectan a la plataforma “SAP NetWeaver ABAP”.
    • Existieron 2 “hot news” (críticas):
      • Una afecta a SAP BusinessObjects, la primera nota crítica para el mismo desde 2012. Permite la divulgación de información de gran impacto que podría derivar en otros muchos ataques. Razón de que tenga un CVSS de 9.8
      • La otra, es la actualización recurrente relacionada con el “SAP Business Client” (a través de navegador web) y también con un CVSS de 9.8, que se volvió a actualizar en Diciembre.
    • Por otro lado tuvimos 5 notas de criticidad alta (High Priority) siendo 3 nuevas y 2 actualizaciones de notas anteriores siendo la criticidad máxima con un CVSS de 8.5 relacionada con Gardener (Kubernetes).
    • Este mes el tipo más predominante fue “Information Disclosure” (4/20 y 3/15 en patch day).

 

  • En Noviembre se han publicado un total de 16 notas (14 en el Security Notes Tuesday – 11 nuevas y 3 actualizaciones de notas anteriores).
    • La única “hot new” (crítica) es una vulnerabilidad en SAP HANA Streaming Analytics que permitiría a un atacante la ejecución remota de código con los mismos permisos (muy elevados) que el servicio que los ejecuta. CVSS de 9.9
    • Existieron también un total de 5 de criticidad alta (high priority), de las cuales destacamos 4 nuevas y con CVSS entre 7.6 y 8.6., ya que la restante es una actualización de la de Gardener (Kubernetes) del mes anterior.
      • De las destacadas las dos de mayor nivel están relacionadas con: el cliente de SAP Fiori con múltiples vulnerabilidades, la primera; y con una de librería que se extiende a lo largo del sistema, para Zip Slip en “SAP Disclosure Management”, la otra.
    • Este mes los tipos más predominantes fueron “Denial of Service” (3/16 y 2/14 en patch day) y “Cross-Site Scripting” (2/16 y 2/14 en patch day).

 

  • En Diciembre se han publicado un total de 17 notas (12 en el Security Notes Tuesday – 9 nuevas y 3 actualizaciones de notas anteriores).
    • Existieron 2 “hot news” (críticas), pero de nuevo una es la relacionada con SAP Business Client versión 6.5 a través de web y la otra solo relevante si se usa Hybris Commerce:
      • Una vulnerabilidad de cross-site scripting (XSS) en SAP Hybris Commerce, afecta al archivo JavaScript webApplicationInjector.js o a una copia de él cuando lo utilizan las tiendas
    • Existieron también un total de 3 de criticidad alta (high priority), destacando solo una de ellas con impacto significativo con un CVSS de 8.3, por falta de chequeo de autorización en “SAP Customizing Tools”.
    • Este mes el tipo más predominante fue “Missing Authorization Check” (6/17 y 3/12 en patch day), precisamente el tipo de la nota alta destacada en la línea anterior.

 

En la gráfica (post Diciembre 2018 de SAP) podemos ver la evolución y clasificación de las notas de los 3 meses del cuarto trimestre del año (2018), además de los 3 meses del pasado trimestre (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Y en la siguiente gráfica (post Diciembre 2018 de ERPScan) podemos ver la misma evolución, pero incluyendo todas las notas del mes, incluso aquellas publicadas además de las del Sec. Tuesday / Patch Day:

 

All the details of the most revelant notes below:

  1. data, debugging information, etc.) that will help to learn about a system and plan other attacks. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 9.8 / 10
  2. SAP Business Client has a security vulnerability (2622660): This note bundles multiple vulnerabilities. The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications. Depending on the vulnerability, attackers can exploit a Memory corruption vulnerability for injecting specially crafted code into a working memory which will be executed by the vulnerable application. This can lead to taking complete control of an application, denial of service, command execution and other attacks. This fact has a negative influence on business processes and business reputation as a result. Install this SAP Security Note to prevent the risks. Updated in October and December 2018 (“If this note has been already implemented, then there is no action required.” Manual steps only have usability impact and no security implications). CVSS v3 Base Score: 9.8 / 10
  3. Gardener has a Missing network isolation vulnerability (2699726): Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Due to missing network isolation a shoot’s apiserver can access services/endpoints in the private network of its corresponding seed cluster. Combined with other minor Kubernetes security issues, the missing network isolation theoretically can lead to compromise other shoot or seed clusters in the Gardener context. The issue is rated high due to the high impact of a potential exploitation in the Gardener context. In the Gardener context, missing network isolation can enable an attacker who is admin in a shoot cluster to compromise the corresponding seed cluster or other shoot clusters which are controlled by this seed cluster. Install this SAP Security Note to prevent the risks. Updated in October and November 2018. CVSS Base Score: 8.5 / 10
  4. SAP Plant Connectivity (PCo) has a Denial of service (DOS) vulnerability (2674215): An attacker can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks. CVSS Base Score: 8.2 / 10
  5. Leveraging Privileges by Customer Transaction Code (2392860 – Re-release): UPDATE – No action is required if this note was already installed after its initial release in February 2017. It fixes the possible use of a reserved transaction code included in a standard SAP role. Exploitation requires a malicious user to use that code in a development system and let that change be transported to the production system. CVSS Base Score: 8.0 / 10
  6. Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model (2681207 – Re-release): UPDATE – The reason for the re-release is not the patch itself, which has no changes, but involves a technical description of the note. In the solution section, SAP re-named the previously called ‘workarounds’ to ‘measures to reduce the attack surface’ which mostly consists of a further explanation of possible protection measures that could be present on OData software packages running in HANA’s Extended Application Services classic model. CVSS Base Score: 7.5 / 10
  7. Denial of Service(DoS) vulnerability in SAPFoundation / database (2696962): This note affects users or developers of the SAP Cloud Platform SDK for iOS due to a vulnerability in the widely used SQLite database which is prone to local Denial of Service. It can be solved both by installing the appropriate patch and following some simple rules for coding the mobile software detailed in the security note. CVSS Base Score: – (not available yet) / 10
  8. SAP HANA Streaming Analytics has a Security vulnerability in Spring Framework (2681280): An attacker can use a Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with a same privileges of a service that executed a command. An attacker can access to arbitrary files and directories located in a SAP server file system including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 9.9 / 10
  9. SAP Fiori Client has multiple vulnerabilities (DoS, HTML Injection, Missing Authorization Check) (2691126): An attacker can use multiple vulnerabilities and exploit one of the listed or mix them together. An attacker can use a Denial of service vulnerability to terminate a process of vulnerable component, and nobody would use this service. Missing authorization check vulnerability can be used for accessing a service without authorization procedures and for employing service functionality with restricted access that can lead to information disclosure or attacks like privilege escalation. Cross-site scripting vulnerability allows injecting a malicious script into a page. Reflected XSS feature refers to tricking a user who would follow a malicious link. In case of stored XSS, malicious script is injected and permanently stored in a page body, so that user would be attacked without performing any actions. The malicious script can access critical information that are stored by browser (including all cookies, session tokens, etc.) and used for interacting with a site. An attacker can gain access to user’s session and see all business-critical information or even get control over it. XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.6 / 10
  10. Zip Slip in SAP Disclosure Management (2701410): This vulnerability consists of a fail in the location where the files are written when decompressed. It is a widespread vulnerability because it is originated in many commonly used libraries. This vulnerability can be exploited when a malicious archive is processed by a vulnerable decompressing extraction code. With it, an attacker may delete or overwrite data, target remote files he can execute or read the content of arbitrary files. The patch prevents further uploads of specially crafted compressed files. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.0 / 10
  11. Web Intelligence Richclient 3 Tiers Mode has a Denial of service (DOS) vulnerability (2657670): An attacker can use a Denial of service vulnerability for terminating a process of a vulnerable component, and nobody would use this service. This fact negatively influences business processes, system downtime and business reputation as a result. Install this SAP Security Note to prevent the risks. CVSS Base Score: 7.7 / 10
  12. Leveraging privileges by customer transaction code (2693083): In some SAP standard roles, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality. That transaction code can be abused by someone with development privileges and having the possibility to get it transported to a production system. Install this SAP Security Note to prevent the risks. CVSS Base Score: 7.6 / 10
  13. SAP Hybris Commerce storefronts has a Cross-Site Scripting vulnerability (2711425): An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Reflected XSS feature is necessity of tricking a user from an attackers’ side – he must make user to use specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions. The malicious script can access to all cookies, session tokens and other critical information stored by browser and used for interaction with a site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 9.3 / 10
  14. Missing Authorization check in SAP Customizing Tools (2698996): An attacker can use the lack of authorization checks to perform an escalation of privileges. SAP Customizing Tools do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Some well-known impacts of Missing Authorization check in this case are the abuse of functionality restricted to a particular user group; or the reading, modification or deletion of restricted data. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.3 / 10
  15. SAP Java keystore service has Implementation flaw vulnerability (2658279): Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase system stability. Install this SAP Security Note to prevent the risks. CVSS Base Score: 7.4 / 10
  16. SAP NetWeaver AS Java has XML external entity (XXE) vulnerability (2642680): SAP NetWeaver AS Java has XML external entity (XXE) vulnerability (CVSS Base Score: 7.1 CVE- 2018-2485) An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem. Install this SAP Security Note to prevent the risks. CVSS Base Score: 7.1 / 10

 

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para los 3 meses de este trimestre:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-octubre-2018

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-noviembre-2018

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-diciembre-2018

 

Otras referencias, en inglés de SAP, Onapsis y ERPScan (en orden: Octubre->Diciembre):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=500633095

https://www.onapsis.com/blog/sap-patch-notes-october-2018

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-october-2018/

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832

https://www.onapsis.com/blog/sap-security-notes-november-18-mobile-client-side-menace

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-november-2018/

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699

https://www.onapsis.com/blog/sap-security-notes-december-18-high-priority-missing-authorization-check-affecting-sap-s4hana

https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-december-2018/

 

El listado completo de los sistemas/componentes afectados es el siguiente:

Recursos afectados:

  • Knowledge Management (XMLForms) in SAP NetWeaver, versiones desde la 7.30, 7.31, 7.40 hasta la 7.50
  • Proyecto Gardener, versión 0.12.2.
  • Project “Gardener”, versión 0.12.4
  • SAP_ABA, versiones desde la 7.00 hasta la 7.02, desde la 7.10 hasta la 7.11, desde la 7.30, 7.31, 7.40, 7.50 y 75C hasta la 75D
  • SAP ABAP Change and Transport System (CTS), versiones SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 y 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49, 7.53, 7.73, 7.74
  • SAP Adaptive Server Enterprise (ASE), versiones 15.7 y 16.0.
  • SAP BASIS, versiones 6.40, 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40
  • SAP Basis (“AS ABAP of SAP NetWeaver” 700 a 750, para 750 posteriormente entregadas como “ABAP Platform”) versiones 7.00 a 7.02, 7.10 a 7.30, 7.31, 7.40, 7.50 a 7.53
  • SAP Basis (TREX / BWA installation), versiones desde la 7.0 hasta la 7.02, desde la 710 hasta la 7.11, desde la 7.30, 7.31, 7.40 y 7.50 hasta la 7.53
  • SAP Business Client, versión 6.5.
  • SAP BusinessObjects BI Platform Server, versiones 4.1 y 4.2
  • SAP BusinessObjects Business Intelligence Platform (BIWorkspace) versiones 4.1 y 4.2
  • SAP BusinessObjects BI Platform Servers (Software Development Kit), versiones 4.1 y 4.2.
  • SAP Business One Service Layer, versión B1_ON_HANA (9.2, 9.3)
  • AP Commerce (SAP Hybris Commerce), versiones 6.2, 6.3, 6.4, 6.5, 6.6, 6.7
  • SAP Data Services, versión 4.2.
  • SAP Disclosure Management, versiones 10.x
  • SAP Fiori 1.0 para SAP ERP HCM (Approve Leave Request, versión 2), versión 1.0.
  • SAP Fiori Client
  • SAP HANA, versiones 1.0 y 2.0.
  • SAP HANA Streaming Analytics, versión 2.0
  • SAP Marketing, versiones UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)
  • SAP Mobile Secure Android Application, version 6.60.19942.0
  • SAP Mobile Secure for Android, versión 6.60.19942.0 SP28 1711
  • SAP NetWeaver, versiones – ServerCore (7.11, 7.20, 7.30, 7.31, 7.40, 7.50)
  • SAP NetWeaver (Application Server Java Library), versiones 7.20, 7.30, 7.31 y 7.50
  • SAP NetWeaver (forums), versiones 7.30, 7.31 y 7.40
  • SAP Netweaver Application Server para ABAP, versiones desde 7.0 hasta 7.02, 7.30, 7.31, 7.40 y desde 7.50 hasta 7.53.
  • SAP NetWeaver AS ABAP Business Server Pages
  • SAP NetWeaver AS Java, versiones ServerCore (7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50)
  • SAP Plant Connectivity, versiones 15.0, 15.1 y 15.2.

SAP Records Management, versiones 7.0 a 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50 y 7.51.

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada.

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar

Categorías

Calendario de entradas

Nuestros servicios

Menú