Reviewing first SAP Security update in 2017
- 23 January, 2017 07:02
On 9th of January, SAP released its first set of security fixes (SAP Security Notes) for the year 2017.
On the second Tuesday of January, 23 SAP Security Notes saw the release. The batch of patches includes 19 Patch Day Security Notes (the term is used for fixes released on the second Tuesday of a month) and 4 Notes published after the second Tuesday of a previous month and before the second Tuesday of a current month.
One of the Note was assessed as Hot News, or very critical, as it was rated 9.8 of 10 by CVSS base score v. 3.0.
The
released fixes resolves such security issues as Missing Authorization Checks,
XSS, Directory traversals, SQL Injections, Implementation flaws, Denial of
service, information disclosure, XXE, and Buffer overflow.
Of note, 5 the most common vulnerability types of this patch update correspond with the most widespread SAP vulnerabilities in general. Namely, there are Cross-site scripting, Missing authorization checks, Directory traversals, Configuration flaws, and SQL injections (according to SAP Cyber Security in Figures. Global Threat Report).
| Vulnerability type | Prevalence in SAP in mid -2016 | Prevalence in SAP in mid- 2014 | Prevalence in SAP till mid-2013 |
| 1 - XSS | 1 | 1 | 1 |
| 2 - Missing authorization check | 2 | 2 | 2 |
| 3 - Directory traversals | 3 | 3 | 3 |
| 4 - Configuration issues | 4 | 4 | - |
| 5 – SQL Injections | 5 | 5 | 4 |
In this review, I would like to focus on two SAP Security Notes 2389042 (DoS in SAP SSO) and 2407862 (Multiple buffer overflows in SAP Sybase Asset Management).
About Denial of service vulnerability in SAP Single Sign-On
SSO (Single Sign-On) allows using one set of login credentials instead of numerous sets of passwords to access multiple applications. As multiple passwords are likely to be weak, reused, or written down somewhere, SSO hardens system security and protects sensitive company and personal data.
SAP states that its SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).
Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. For example, a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP) were discovered and then closed by the vendors.
This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, which would prevent legitimate users from accessing all linked applications.
About Multiple buffer overflows vulnerabilities in Flexera FlexNet Publisher
Sybase Software Asset Management (SySAM) includes Flexera FlexNet Publisher software, which is vulnerable to multiple buffer overflow issues (CVE-2015-8277). The vulnerabilities were rated 9.8 by CVSS Base Score.
The FlexNet License Manager is built into many different Software products to manage licenses is vulnerable to a stack based buffer-overflow. The exploit doesn’t require any authentication and may lead to Remote Code Execution depending on an application. For example, code execution was gained against a product with ASLR, DEP, and stack cookies running on a Windows 7 system in a lab environment.
As for SAP Sybase, the related SAP Note doesn’t detail the effect, however, such metrics as Impact to Availability, Integrity, and Confidentiality were assessed as High.
