SAP Security Updates: Q2 2018

Como cada trimestre, analizamos las  las notas de seguridad publicadas por  SAP, en este caso, analizaremos las del segundo trimestre de 2018.

Tenemos 1 nota crítica (Hot News) en este trimestre (publicada en Abril y actualizada en Junio) una actualización de una nota crítica a resaltar, y 6 de nivel alto, a la que añadiremos una nota del nivel medio, la más crítica de Mayo para la revisión en detalle de 9 notas.

  • Destacar que la nota más crítica (CVSS 9.8) está relacionada con el componente “SAP Business Client”.
  • Además tenemos dos actualizaciones de notas críticas (una sobre la anterior y otra de CVSS 9.1) y solo una nota alta que pase del 8 (CVSS 8.4). El resto de notas están por debajo de esta valoración.

Tenemos un total de 45 notas para todo el trimestre, 18 menos que el pasado trimestre, (32 de los patch Tuesday, 1 más que el pasado trimestre):

  • En Abril se han publicado un total de 16 notas (12 en el Security Notes Tuesday – 9 nuevas y 3 actualizaciones de notas anteriores).
    • Este mes tenemos una “hot new” (crítica) con un CVSS muy alto, de 9.8, el más alto del año, relacionada con el “SAP Business Client”. Esta misma nota recibe una actualización dos meses más tarde (Junio).
    • Por otro lado tenemos 4 notas de criticidad alta (High Priority) siendo una la aclaración de la actualización de otra, es decir en total 3 notas altas a destacar, con CVSS entre 7.3 y 7.5.
    • Este mes el tipo más predominante es “Missing Authorization Check” (4/16 y 1/12 en patch day).
  • En Mayo se han publicado un total de 15 notas (10 en el Security Notes Tuesday – 9 nuevas y 1 actualizaciones de notas anteriores).
    • En este mes no existen ni “hot news” (críticas) ni notas de criticidad alta (high priority). En efecto, excepto una nota de nivel bajo, el resto son todas de nivel medio.
    • Solo detallamos la nota de mayor riesgo/criticidad, que tiene un CVSS de 6.5 relacionada con el componente “SAP Internet Graphics Server (IGS)”, que permitiría a un atacante la carga de cualquier archivo malicioso. Precisamente para este componente existen un total de 4 notas de las 15 del mes.
    • Este mes los tipos más predominantes son “Missing Authorization Check” (3/15 y 1/10 en patch day) y “Denial of Service” (3/15 y 3/10 en patch day).
  • En Junio se han publicado un total de 14 notas (10 en el Security Notes Tuesday – 5 nuevas y 5 actualizaciones de notas anteriores).
    • En este mes no existen “hot news” (críticas) nueva, pero se actualizan 2 notas críticas (una de Abril 2018, ya mencionada e incluida en este informe). La otra nota “Hot News” actualizada es de noviembre de 2016 (2357141) con un CVSS de 9.1.
    • Existen también un total de 4 de criticidad alta (high priority), todas del Patch Day, siendo una actualización de nota previa y de las tres restantes destacando una de SAP Business One con un CVSS de 8.4.
    • Este mes los tipos más predominantes son “Cross-Site Scripting” (3/14 y 1/10 en patch day) y “Remote Command Execution” (3/14 y 1/10 en patch day).

El detalle completo de las notas más relevantes es el siguiente (en inglés):

  1. SAP Business Client has a security vulnerability (2622660): This note bundles multiple vulnerabilities. The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications. Depending on the vulnerability, attackers can exploit a Memory corruption vulnerability for injecting specially crafted code into a working memory which will be executed by the vulnerable application. This can lead to taking complete control of an application, denial of service, command execution and other attacks. This fact has a negative influence on business processes and business reputation as a result. Install this SAP Security Note to prevent the risks. Updated in June 2018 (“If this note has been already implemented, then there is no action required.” Manual steps only have usability impact and no security implications). CVSS v3 Base Score: 9.8 / 10
  2. SAP Business One has an Denial of Service (DOS) vulnerability (2587985): An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. The bug actually exists in Apache, and is introduced by the use of Apache as a HTTP server in the Business One service layer. The bug allows an attacker to cause a segmentation fault by carefully sending a specific sequence of request headers to the server. A segfault happens when a program tries to read or write a memory location it is not supposed to. A segfault will crash the program. In this case, the segfault can be generated due to the absence of sufficient user input validation in the Apache function ap_get_token(). This function is allowed to search past the end of its input string causing a buffer overread. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.5 / 10
  3. SAP Visual Composer has a Code Injection vulnerability (2552318): Update a previous Security Note (2376081). Depending on the code, attackers can perform different actions: inject and run their own code, obtain additional information that must be hidden, change or delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or can potentially escalate privileges by executing malicious code or even to perform a DOS attack. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.4 / 10
  4. Improper Session Management in SAP Business Objects -CMC/BI Launchpad/Fiorified BI Launchpad (2537150): Business Objects (BO or BOBJ) is SAP’s suite of front-end applications which allows customers to effectively process and visualize business intelligence data. The BOBJ vulnerability in this note causes existing user sessions to remain active even after their passwords have been changed. After applying the Support Package Patches mentioned in the note, password changes will be preceded by an alert warning the administrator for the termination of active sessions for the user whose password was changed. On successful password change, active sessions will then be terminated. Updated in June 2018 (“This note will be modified periodically based on web browser updates by respective vendors.” Any time SAP updates this Security Note, you need to do it too.). CVSS v3 Base Score: 7.3 / 10
  5. SAP Internet Graphics Server (IGS) has a security vulnerability (2615635): An attacker can upload any file, use Cross-site scripting vulnerability for injecting a malicious script into a page. Reflected XSS feature is necessary to trick a user – he or she would make the user follow a specially crafted link. In terms of stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions. The malicious script can access all cookies, session tokens and other critical information stored by the browser and used for interaction with a site. The attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. In addition, XSS can be used for unauthorized modifying of displayed site content. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 6.5 / 10
  6. SAP Business One has an Information Disclosure vulnerability (2588475): An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 8.4 / 10
  7. SAP Internet Sales has a Remote Command Execution (RCE) vulnerability (2626762): An attacker can use a Remote Command Execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with a same privileges of a service that executed a command. An attacker can access to arbitrary files and directories located in a SAP-server filesystem including application source code, configuration and critical system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.5 / 10
  8. SAP Internet Sales has a Denial of service (DoS) vulnerability (2629535): An attacker can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks. CVSS v3 Base Score: 7.3 / 10
  9. Update to Security Note released on November 2016 Patch Day: OS Command Injection vulnerability in Report for Terminology Export (2357141): Update to a note affecting SAP BASIS, Versions – 7.31, 7.40, 7.50, 7.51, 7.65, 7.66. CVSS v3 Base Score: 9.1 / 10

 

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para los 3 meses de este trimestre:

Otras referencias, en inglés de SAP, Onapsis y ERPScan (en orden: Abril->Junio):

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar

Categorías

Calendario de entradas

Nuestros servicios

keyboard_arrow_up