SAP Security Notes November 2016

On 8th of November 2016, SAP released its monthly critical patch update consisting of 16 patches.

To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing .

SAP Security Notes November 2016

The critical patch update for November 2016 includes 10 SAP Security Patch Day Notes and 6 Support Package Notes. 5 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. One Note is an update to a previously released Security Note.

2 of the released SAP Security Notes were assessed as a Hot News. The highest CVSS score of the vulnerabilities is 9.1.

SAP Security Notes Distribution by priority

Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by stack

The most common vulnerability type is Missing authorization check.

SAP Security Notes Distribution by vulnerability type

About OS Command execution vulnerability

This month, two the most severe vulnerabilities (CVSS Base Score: 9.1) belong to the Operating System (OS) Command Injection vulnerability type.These are as follows:

  • 2357141 SAP Report for Terminology Export component has an OS command execution vulnerability
  • 2371726 SAP Text Conversion component has an OS command execution vulnerability

OS command injection occurs when an application accepts untrusted input (forms, cookies, HTTP headers, special characters etc.) to build operating system commands or there is an insufficient sanitizing . Executed commands will run with the privileges of a vulnerable service.

An attacker can use OS command execution vulnerability to execute operating system commands without authentication. As for SAP, an attacker can access arbitrary files and directories located in an SAP server file system including application source code, configuration, and critical system files. The vulnerability allows obtaining critical technical and business-related information stored in a vulnerable system.

OS command execution vulnerability threatens not only applications developed by the vendor, but third-party customizations as well.

Let’s look at the example of vulnerable ABAP code and the ways of vulnerability prevention

Example

In the example below, an attacker can specify the value of command variable, which is used in 'SYSTEM' kernel call. Thus, there is an opportunity to execute OS arbitrary command.

How to prevent

1. Avoid user input data in CALL 'SYSTEM' expression.

2. Forbid command calls via SYSTEM by setting the rdisp/call_system parameter value to ‘0’. It can be done by the RZ11 transaction.

Note: The command call barring is applied to the whole system, which can lead to unpredictable consequences, while SAP uses CALL 'SYSTEM' for execution of the OS commands.

3. Implement an authorization check via AUTHORITY_CHECK_C_FUNCTION just before SYSTEM call. It is also possible to use object of authorization 'S_C_FUNCT'. It is necessary to remember that this check defines only the presence of rights to call SYSTEM, not to execute concrete OS command.

4. Ideally, a developer should use existing ABAP best practices.

1. Use of AUTHORITY_CHECK_C_FUNCTION

2. Use of 'S_C_FUNCT'

Priority vs. Application type distribution

The fact that SAP Systems are complex is a common place. However, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.

Hot News High Medium Low
Basis Components 2357141
2371726
2366512
2358972
2342940
2366726
2376223
Financial Accounting 2371610
2367193
Financial Services 2368873
Enterprise Performance Management 2368106
Cross-Application Components 2383912
Customer Relationship Management 2263882

The most critical issues closed by SAP Security Notes November 2016

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2357141: SAP Report for Terminology ExportI component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2371726: SAP Text Conversion component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2366512: SAP Software Update Manager component has an Information Disclosure vulnerability (CVSS Base Score: 7.5). An attacker can use an Information disclosure vulnerability to reveal additional information, which will help them to learn about a system and to plan further attacks. During upgrade of SAP NetWeaver based products the MSSQL database shadowuser credentials are stored in logfiles in plain text. Install this SAP Security Note to prevent the risks.
  • A Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2358972. An attacker can exploit a denial of service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.
  • Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

    Do you want more?

    Subscribe me to your mailing list