As you know, the second Tuesday of every month is known among the cybersecurity community as a Patch Tuesday. Microsoft initially introduced this tradition in 2013 as a means of planning for installing patches on the regular basis. SAP’s Security Patch Day coincides with Patch Tuesday in order to install all required fixes in the scheduled day. On the SAP Security day, the vendor releases a set of internal advisories containing instructions, patches, or both.
The idea behind this article is to provide you with the insight into the latest set of SAP Security Notes. While patching process is difficult and laborious, the main takeaways are as easy as one-two-three.
1. SAP releases a record-number of closed issues per month.
The patch update for October consists of 48 SAP Security Notes.
According to the latest SAP Cyber Security in Figures report, in 2011, the approximate number of monthly SAP Security Notes was equal to 61. In 2012, it decreased to 53 notes, and in 2013 it amounted to 30 notes a month. The average number remained almost the same in 2014 (32) and fell slightly in 2015 (25) and in 2016 (22). It means, that this patch update is twice bigger than the average and among the biggest set of fixes since 2012.
Nonetheless, all the closed issues are not so critical - 3 of them were rated high priority and the remaining were rated medium priority, while the vulnerabilities, which should be patched as soon as possible, assessed with hot news rating.
2. The majority of the patches ( SAP Security notes) fixes implementation flaws.
The majority of the issues closed this month are implementation flaws. They are titled “Switchable authorization checks” and new switchable authorization check options. They are meant to improve “RFC security for CRM Solutions.”
By default, they are inactive to ensure compatibility with processes. For instance, in case this check comes activated, some employees will not be able to perform their daily job, as the access to documentation or functionality is restricted. It can lead to business processes stoppage.
Implementing these patches is likely to require a lot of manual work from SAP admins. SAP customers should assign the authorization rights to the corresponding users in accordance with corporate policies.
3. One of the vulnerabilities (Authentication bypass in SAP P4) potentially threatened SAP customers since 2013.
A Missing Authentication check vulnerability in SAP NetWeaver AS JAVA P4 Server core component (CVSS Base Score: 7.3) allows an attacker to read sensitive information, access to which should be restricted.
The vulnerable component – SAP P4 - provides a remote control of SAP’s JAVA platform, for example, all SAP Portal systems. Although, this service shouldn't be available on internet, in practice it's not always the case as our internet survey shows.
To correct this issue, address SAP Security Note 2331908.
The story of discovering this vulnerability is rather curious. First, this issue was discovered by other security company, and SAP released the fix in 2012. Based on the SAP Security Note, we wrote a special script to exploit this vulnerability during penetration testing. It usually worked, which made us come to conclusion SAP customers simply didn't implement the appropriate patch. But once the client claimed that the patch is installed.
The investigation revealed that the bug still affects the latest versions of P4. For example, the service pack 09 for the version 7.2 which is vulnerable, was released in 2013. It means that potentially the mission-critical service stayed unpatched for at least 3 years, i.e. 256 systems (possibly this number was higher in last 3 years) could be compromised. In March, we sent this issue to the vendor and now it's finally fixed.
SAP customers as well as companies providing SAP Security Audit or SAP Penetration Testing services should be well-informed about the latest SAP Security news, don’t miss the next month’s SAP Security Notes analysis.
More details can be found here.