Notas de Seguridad SAP, Q1 2020

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Hoy os traemos la actualización de las notas de seguridad de SAP, del Q1 de 2020.

Notas Q1 2020

Resumen y highlights del Trimestre

Aunque el trimestre empieza con un mes de Enero muy “calmado” como había sido el último del año pasado (Diciembre), después con el mes de Febrero y especialmente con el de Marzo en el que llegamos a 4 notas críticas (hot news) y además un gran número de notas altas de relevancia.

Tenemos que prestar especial atención a SAP Solución Manager donde tenemos 2 notas críticas y una de ellas con el CVSS máximo de 10 ya que un problema en este sistema y especialmente en el agente en los sistemas remotos comprometería nuestros sistemas críticos de producción.

Además se sigue confirmando que el tipo de vulnerabilidad más predominante es el relacionado con falta de chequeos de autorizaciones (“Missing Authorization Checks”) de ahí la importancia del área (o dominio, como es el caso en la ISO 27000) de Control de Accesos para SAP. En concreto en Enero son más de la mitad de los casos (58%). También refleja como es habitual los típicos errores de desarrollo – fase durante la cual es muy importante la seguridad desde el diseño (“security by design”) – y que debe de ser tenida muy en cuenta también para la revisión del código de desarrollo propio (“custom code”).

Tenemos 4 notas críticas (Hot News) únicas, siendo el total de 5 en este trimestre, una de ellas la actualización recurrente para el SAP Business Client con Chromium con 2 apariciones. Además 9 destacadas de nivel alto para la revisión en detalle de un total de 14 notas.

• Las  dos notas más crítica (una con CVSS 10 – máxima) relacionadas con Solution Manager son especialmente importantes y hay que instalar el componente de “LM-Service Software” mencionado en las notas, aunque hay una corrección parcial manual en caso de que el proceso de actualización y parcheo tarde en realizarse, pero es muy recomendable la corrección completa con la instalación del componente.
• La siguiente en criticidad (CVSS 9.8), es una habitual “Browser Control Chromium Delivered with SAP Business Client (2622660)” que aparecen en dos meses (Febrero y Marzo), aunque hay un tema importante relacionado con la gestión de “Cookies” por lo que es importante revisar también la nota 2887651.
• Por último, la última crítica con CVSS de 9.1 es de SAP Netweaver en relación al componente “UDDI Server”.

Tenemos un total de 53 notas para todo el trimestre, 14 más que el pasado trimestre, (40 de los patch Tuesday, 10 más que el pasado trimestre), que se reparten de la siguiente manera en los 3 meses:

• En Enero se han publicado un total de 12 notas (7 en el Security Notes Tuesday – 6 nuevas y 1 actualización de una nota anterior).
  • No existen “hot news” (críticas) y solo una nota alta (0 en el patch Tuesday). Esta nota alta está relacionada con un add-on para SAP 4/HANA de SAP Enterprise Asset Management y la veremos en el detalle.
  • El resto de las notas salvo una que es bajas son medias (10), siendo la nota más relevante con un CVSS de 6.1 para SAP PI (Process Integration), aunque no la comentaremos en detalle.
  • Este mes el tipo más predominantes con diferencia – más de las mitad de los casos – son “Missing Authorization Check” (7/12 y 3/7 en patch day).

• En Febrero se han publicado un total de 19 notas (15 en el Security Notes Tuesday – 11 nuevas y 2 actualizaciones de notas anteriores).
  • Tenemos una sola “hot new” (crítica), que no es otra que el gran clásico “Browser Control Chromium Delivered with SAP Business Client (2622660)”, con su CVSS de 9.8, con su 1ª aparición en el año.
  • Tenemos sin embargo, 4 notas de criticidad alta (high priority) la más relevante con un CVSS de 7.5 que permitiría Denegación de Servicio en el “SAP Host Agent”. En el detalle podemos ver estas 4 de nivel alto además del “hot new”.
  • Este mes los tipos más predominantes son “Missing Authorization Check” (5/19 y 1/15 en patch day) y “Denial of Service” (3/19 y 3/15 en patch day).

• En Marzo se han publicado un total de 22 notas (18 en el Security Notes Tuesday – 16 nuevas y 2 actualizaciones de notas anteriores).
  • Tenemos un total de 4 “hot news” (críticas), aunque 1 de ellas en la actualización del gran clásico “Browser Control Chromium Delivered with SAP Business Client (2622660)”. Sin embargo, tenemos las 2 notas más importantes del trimestre que afectan a Solution Manager y una con CVSS de 9.8 y otra del máximo (CVSS de 10) respectivamente. Por último, la cuarta “hot new” afecta al componente “SAP NetWeaver UDDI Server(Services Registry)”.
  • Tenemos además 5 notas de criticidad alta (high priority), todas ellas las revisaremos en detalle y la que destaca con mayor CVSS de 8.2 es de ejecución de código remota en “SAP Business Object Server”
  • Este mes los tipos más predominantes son “Missing Authorization Check” (5/22 y 3/18 en patch day) y “Cross-Site Scripting” (4/22 y 4/16 en patch day).

En la gráfica (post Marzo 2020 de SAP) podemos ver la evolución y clasificación de las notas de los 3 meses del primer trimestre del año (2020), además de los 3 meses del pasado trimestre (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1. Multiple Security Issues in SAP Enterprise Asset Management, Add-On for MRO 4.0 by HCL for SAP S/4HANA 1809 (2871877): Provides multiple corrections in different areas of the SAP EAM (Enterprise Asset Management) add-on. Different kinds of vulnerabilities are covered in various components of the add-on, e.g. Missing Authorization Check vulnerabilities in several Workbenches of MRO (CVSS rated with 8.3), and Directory Traversal vulnerabilities allowing attackers to read, overwrite, delete, or corrupt arbitrary files on the remote server (CVSS rated 7.2). Pay attention: the corrections are provided as an SAP Transport File! CVSS v3 Base Score: 8.3 / 10
2. Update – Security Updates for the Browser Control Chromium Delivered with SAP Business Client (2622660): This note addresses multiple vulnerabilities in the third-party web browser control Chromium, which is used in SAP Business Client and is periodically updated based on web browser updates. Since exploits for third-party tools are more common than exploits that are SAP-specific, which tend to be more targeted and selective, it is important to keep this note installed with every update to stay secure. In this case we have to highlight an important issue: as of version 80 of Google Chrome, the default handling of cookies will be changed significantly. In order to provide better protection against Cross-Site Request Forgery (CSRF) attacks, Chrome will set the default value of the SameSite cookie attribute to “Lax” if no explicit value is specified by the server. This will have a negative impact on applications, which integrate multiple web sites within a single browser window as they often rely on cross-domain cookies. We strongly recommend that you read SAP HotNews Note #2887651, which describes the affected SAP components, possible solutions, and further details. In this quarter we have updates in both February and March monthly updates. CVSS v3 Base Score: 9.8 / 10
3. Denial of Service (DOS) Vulnerability in SAP Host Agent (2841053): . The vulnerability exists in scenarios based on user/password authentications and is caused by the fact that SAP Host Agent’s authentication uses facilities provided by the underlying operating system. These facilities often delay failed authentication requests in order to handle the negative impact of brute force authentication attacks. SAP Host Agent limits the number of parallel authentication requests so that regular authentication requests might be slowed down due to delayed responses. Possible solution options are: 1) Restricting access ports to the datacenter network; 2) Restricting access ports to trusted networks and addresses only through maintenance of SAP Host Agent’s Access Control List; OR 3) Only allowing certificate-based authentication (only for SAP Host Agent version 7.21 PL45 and higher). CVSS v3 Base Score: 7.5 / 10 (CVE-2020-6186).
4. Missing Authorization Check in SAP Mobile Platform Native SDK, Android (2695776): Fixes an issue in which data stored in the Federation Library was not protected by default. So if the application developer did not explicitly define their own permission to access the library data, it was unprotected. SAP has now published a new Federation Library that contains a default signing permission. In order to not force all developers to include the updated Federation Library in each application and rebuild it, an explicitly assigned permission will still overwrite the newly introduced default permission. CVSS v3 Base Score: 7.4 / 10.
5. Missing Input Validation in SAP Landscape Management (2878030): Due to missing sanitization, the vulnerability can allow an attacker to inject the operational commands with malicious content. Depending on the specific operation, this content is executed in the context of user Root or <SID>adm. The impact of the vulnerability on the confidentiality, integrity, and availability of the system is therefore rated with High. Note #2878030 handles operations that will first need to place an infected binary on the target host in order to exploit the vulnerability. CVSS v3 Base Score: 7.2 / 10 (CVE-2020-6191).
6. Missing Input Validation in SAP Landscape Management (2877968): Due to missing sanitization, the vulnerability can allow an attacker to inject the operational commands with malicious content. Depending on the specific operation, this content is executed in the context of user Root or <SID>adm. The impact of the vulnerability on the confidentiality, integrity, and availability of the system is therefore rated with High. Note #2877968 covers all operations that can directly be infected with vulnerable commands. CVSS v3 Base Score: 7.2 / 10 (CVE-2020-6192]).
7. Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring) (2890213): An unauthenticated remote attacker could be able to execute operating system commands as the SMDAgent OS user on each satellite’s system and achieve full privileges on the associated SAP systems. This vulnerability has been scored with CVSS 10.0, the highest value for this standard, since its vector includes low attack complexity (AC), no privileges required (PR), changed scope (S) and high impact in Confidentiality (C), Integrity (I) and Availability (A), among others. In order to patch this issue, customers should install the LM-SERVICE Software Component mentioned in the SAP Security Note. For companies whose patching process may take too long for a critical vulnerability, SAP offers a partial fix that can be implemented manually on the system. It is always recommended to deploy the complete fix through the component installation. CVSS v3 Base Score: 10 / 10 (CVE-2020-6207).
8. Missing Authentication check in SAP Solution Manager (Diagnostics Agent) (2845377): SMDAgent is a technical component which does not directly handle sensitive data of the business. However, this vulnerability allows an attacker to perform sensitive actions, such as stopping the system (availability), changing the behaviors of the application (integrity) or accessing sensitive information. An attacker can bypass authentication. That means the attack can be executed by any person with access to the network, without need of a valid user in the SolMan system. Based on this, and the fact that SMDAgent is present in any SAP installation, the impact and criticality of this vulnerability is high, since privileges required in CVSS vector is «None». As with the other critical note explained above, an updated version of the LM-SERVICE Software Component should be installed for patching this one too. See the SAP Security Note for details. CVSS v3 Base Score: 9.8 / 10 (CVE-2020-6198).
9. Path Manipulation in SAP NetWeaver UDDI Server(Services Registry) (2806198): describes a serious Directory Traversal vulnerability in SAP NW UDDI Server. The vulnerability is caused by an incorrect validation of the path that is provided by a user when importing UDDI content via the Services Registry. CVSS v3 Base Score: 9.1 / 10 (CVE-2020-6203).
10. Remote Code Execution in SAP Business Objects Business Intelligence Platform (Crystal Reports) (2861301): Fixes a vulnerability that allows an attacker to execute code remotely on the SAP Business Object Server. Possible exploits range from unauthorized execution of arbitrary commands to completely crashing the application. Only the fact that the attacker needs to upload a malicious file to the platform before and that he or she must get another user to open the file prevents the issue from being rated with an even higher CVSS score. CVSS v3 Base Score: 8.2 / 10 (CVE-2020-6208).
11. Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService) (2826782): Fixes a vulnerability in SAP Business Objects Mobile that was detected by the Onapsis Research Labs. A non-authenticated attacker could use a specially-crafted payload to send requests to some endpoints. These requests can cause a Denial-of-Service situation for the impacted components and thus prevent legitimate users from accessing the application.. CVSS v3 Base Score: 7.5 / 10 (CVE-2020-6196).
12. Missing Authorization check in SAP Disclosure Management (2858044): Fixes a mission authorization check with high impact on confidentiality, integrity and availability. SAP rates the attack complexity here as High, thus preventing the vulnerability from becoming a HotNews Note. CVSS v3 Base Score: 7.5 / 10 (CVE-2020-6209).
13. Directory Traversal in SAP Environment Health and Safety (1966029): EHS contains a vulnerability through which an attacker can potentially read and write arbitrary files on the remote server, possibly disclosing, corrupting or altering confidential information. Implement the note to fix the issue. CVSS v3 Base Score: 7.2 / 10.
14. SQL Injection Vulnerability in SAP MaxDB/liveCache – update note August 2018 Patch Day (2660005): Note that was updated already at the end of February. This Note solves an SQL Injection vulnerability that is exposed to attackers with DBM operator privileges. CVSS v3 Base Score: 7.2 / 10 (CVE-2018-2450).

Enlaces de referencia

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para los 3 meses de este trimestre:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-enero-2020

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-febrero-2020

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-marzo-2020

Otras referencias, en inglés de SAP y Onapsis (en orden: Julio->Septiembre):

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771

https://www.onapsis.com/blog/sap-security-notes-january-2020-icm-services-risk-denial-service

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812

https://www.onapsis.com/blog/sap-security-notes-feb-2020

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305

https://www.onapsis.com/blog/sap-security-notes-mar-2020

Recursos afectados

• ABAP Server (utilizado en NetWeaver y Suite/ERP), versiones;
  • utilizando Kernel 7.21 o 7.22, que usa ABAP Server desde 7.00 hasta 7.31;
  • utilizando Kernel 7.45, 7.49 o 7.53, que usa ABAP Server desde 7.40 hasta 7.52;
• ABAP Platform.
• Automated Note Search Tool (SAP Basis), versiones – 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 y 7.54;
• RTCISM, versión – 100;
• SAP Business Client, versión 6.5;
• SAP Business Objects Business Intelligence Platform (CMC), versión 4.2;
• SAP Business Objects Business Intelligence Platform (Crystal Reports), versiones 4.1 y 4.2;
• SAP Business Objects Mobile (MobileBIService), versión 4.2;
• SAP Commerce Cloud:
  • Testweb Extension, versiones 6.6, 6.7, 1808, 1811 y 1905;
  • SmartEdit Extension, versiones 6.6, 6.7, 1808 y 1811.
• SAP Cloud Platform Integration para Data Services, versión 1.0;
• SAP Disclosure Management, versión – 10.1;
• SAP ERP, versiones SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720 y 730;
• SAP ERP (EAPPGLO), versión 607;
• SAP Enable Now, versiones anteriores a 1911;
• SAP Fiori Launchpad, versiones 753 y 754;
• SAP Mobile Platform, versión 3.0.
• SAP Host Agent, version 7.21;
• SAP Landscape Management, versión 3.0;
• SAP Leasing, versiones: (SAP_Appl) 6.18; (EA_Appl) 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16 y 6.17;
• SAP MaxDB (liveCache), versiones 7.8 y 7.9;
• SAP NetWeaver, versiones: 7.30, 7.31, 7.40 y 7.50 (Knowledge Management ICE Service); SAP_BASIS 702, 730, 731 y 740; 7.30, 7.31, 7.40 y 7.50 (Heap Dump Application); 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50 (Guided Procedures).
• SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) SAP_BASIS, versiones 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53 y 7.54;
• SAP NetWeaver Application Server Java User Management Engine), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50.
• SAP NetWeaver UDDI Server (Services Registry), versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
• SAP NetWeaver Internet Communication Manager, versiones: KRNL32NUC y KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC y KRNL64UC, 7.49; y 7.53;
• SAP Process Integration – Rest Adapter (SAP_XIAF), versiones – 7.31, 7.40, 7.50;
• SAP S/4 HANA, versiones: S4CORE 100, 101, 102, 103, 104; SAP_BASIS 7.50, 7.51, 7.52, 7.53, 7.54.
• SAP Solution Manager (User Experience Monitoring y Diagnostics Agent), versión 7.2;
• SAP Treasury y Risk Management (Transaction Management), versiones EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800, S4CORE 101, 102, 103 y 104.
• SAP UI, versiones – 7.5, 7.51, 7.52, 7.53 y 7.54;
• SAP UI 700, versión 2.0

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.