SAP Security Notes, November 2021

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

November 2021 notes

Summary and highlights of the month

The total number of notes/patches has decreased compared to last month. In addition to this decrease in the number of total notes, the number of Hot News also decreased, with 3 notes last month compared to 1 in November. On the other hand, it should be noted that the number of high criticality notes increased from 1 to 3 this month. As usual, we will leave the medium and low scores unchecked this month, but we will give details of a total of 4 scores (all those with a CVSS of 7 or higher).

We have a total of 11 notes for the whole month, 6 less than last October (7 from Patch Tuesday, 5 new and 2 updates, being 7 less than last month).

We have only 1 new critical note (Hot News) in this month that stand out for their high CVVS. In addition we will review in detail 3 of the total of 3 high notes (those of CVSS greater than or equal to 7) where this month we located 2 new and 1 update.

• The most critical note of the month (with CVSS 9.6) is a Missing Authorization check affecting ABAP Platform Kernel.
• From there, we found 3 notes of high priority, being the most relevant with a CVSS of 8.3 another new note of Missing Authorization check that in this case affects SAP Commerce. The rest (8) are of medium and low level, and we will not see them in detail.
• This month the most predominant type is the “Missing Authorization Check” (4/11 and 4/7 in patch day).

In the graph (post November 2021 from SAP) we can see the classification of the November notes in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):

Full details

The full details of the most relevant notes are as follows:

1. Missing Authorization check in ABAP Platform Kernel (3099776): It patches a Missing Authorization Check vulnerability in ABAP Platform Kernel that can result in an escalation of privileges for an authenticated business user. The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems. CVSS v3 Base Score: 9.6 / 10 (CVE-2021-40501).
2. Missing Authorization check in SAP Commerce (3110328): This note patches a Missing Authorization Check vulnerability, resulting in an escalation of privileges for an authenticated user. Any SAP Commerce installation using Commerce Organization is impacted by this vulnerability that can highly compromise the system’s integrity and availability. CVSS v3 Base Score: 8.3 / 10 (CVE-2021-40502).
3. Several security vulnerabilities in FRP 5.4.0 and FR Engine 5.4.0 (2827086): It affects SAP Forecasting and Replenishment for Retail (FRP or F&R). This software component can be connected to SAP Retail but the vulnerable engine can also be used with purchasing systems of other software vendors. SAP F&R is used by retail companies to cut surplus stock and reduce stockouts in distribution centers and stores. It is also used to increase transparency in the supply chain. The note patches known vulnerabilities in Open Source libraries used by the software. SAP mentions a Memory Corruption vulnerability and a Denial of Service vulnerability, which can lead to a complete system crash in the worst case. CVSS v3 Base Score: 7.9 / 10.
4. Update – Hard-coded Credentials in CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused (2971638): Hard-coded default passwords for the Admin and the Guest user allowed a remote attacker to bypass authentication, compromising the confidentiality of the service. CVSS v3 Base Score: 7.5 / 10 (CVE-2020-6369).

Reference links

Reference links of the CERT of the INCIBE in relation to the publication of the notes for November:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-noviembre-2021

Other references, from SAP and Onapsis (November):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

https://onapsis.com/blog/sap-security-patch-day-november-2021-critical-patch-abap-platform-kernel

Resources affected

• CA Introscope Enterprise Manager (SAP Solution Manager y SAP Focused Run), versiones 9.7, 10.1, 10.5, 10.7;
• SAP ABAP Platform Kernel, versiones 7.77, 7.81, 7.85, 7.86;
• SAP Commerce, versiones 2105.3, 2011.13, 2005.18, 1905.34;
• SAP ERP Financial Accounting (RFOPENPOSTING_FR) , versiones SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730, SAPSCORE 125, S4CORE, 100, 101, 102, 103, 104, 105;
• SAP ERP HCM Portugal, versiones 600, 604, 608;
• SAP GUI para Windows, versiones anteriores a 7.60 PL13, 7.70 PL4;
• SAP NetWeaver AS para ABAP y ABAP Platparam, versiones 700, 701, 702,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756;