SAP Cyber Threat Intelligence Report – May 2017

Friday, May 12, 2017

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

  • This set of SAP Security Notes is smaller than usual (the average number of SAP Security Notes closed every month this year equals 25, while May’s bunch of Notes contains 17 fixes).
  • 4 of the closed security loopholes affect SAP Defense Forces & Public Security. The lack of authorization vulnerabilities in this module could allow an attacker (including hacktivists and cyberterrorists) to read read, modify or delete sensitive data.
  • In the wake of proof-of-concept ransom attack via SAP GUI, the vendor released a fix addressing client-side security issues. SAP GUI for Java allowed opening of new connections from an ABAP program that can be used in multi-stage cyberattacks.

SAP Security Notes – May 2017

SAP has released the monthly critical patch update for May 2017. This update includes 17 SAP Notes (11 SAP Security Patch Day Notes and 6 Support Package Notes). 4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.

1 of the released SAP Security Notes has a High priority rating and 1 was assessed at Hot news. The highest CVSS score of the vulnerabilities is 6.5 .

The most common vulnerability types are Missing Authorization check and XSS (PDF).

Issues that were patched with the help of ERPScan

This month, 2 critical vulnerabilities identified by ERPScan’s researchers Dmitry Chastuhin, Dmitry Yudin and Vahagn Vardanyan were closed. Below are the details of the SAP vulnerabilities identified by them.

  • An Implementation flaw vulnerability in SAP GUI (CVSS Base Score: 5.1). Update is available in SAP Security Note 2448972. SAP GUI for Java unconditionally allows opening of new connections from an ABAP program. Under specific circumstances, it is possible to enhance already existing attacks to a broader user group. The patch allows defining a custom trust level including a permission for opening a new connection.
    ERPScan research team revealed and disclosed in March that a SAP GUI vulnerability could be exploited to conduct a ransom attack on an organization where the German enterprise software is installed. Due to this case, SAP has shifted its focus on client-side vulnerabilities. The previous patch fixed an issue in ABAP engine, and one released this month addresses the JAVA part, that, combined, enhances protection against ransomware.
  • A Cross-Site Scripting vulnerability in SAP Enterprise Portal (CVSS Base Score: 4.8). Update is available in SAP Security Note 2412897. An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
    SAP Enterprise Portal is a web front-end component, which provides a single point of access to information, applications, and services. This component can be easily found by Google search (search query: inurl:/irj/portal intitle:"SAP Netweaver Portal") that facilitates attacks.

The most critical issues closed by SAP Security Notes May 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2376743: SAP EA-DFPS has a Missing authorization check vulnerability (CVSS Base Score: 6.5). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2442630: SAP EA-DFPS has a Missing authorization check vulnerability (CVSS Base Score: 6.3). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedure and use service functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
  • 2443586: SAP NetWeaver Authentication and SSO has a Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Vulnerabilities in SAP Defense Forces & Public Security module on the rise

There are different industry-specific solution in SAP’s portfolio. It covers 25 verticals, including Defense Forces & Public Security. This product is intended for armed forces, police, and aid organizations to help perform the following functions:

  • Mapping organizational structures and material and personnel resource planning
  • Accounting and Funds Management
  • Materials Management
  • Support for Flight Operations
  • Maintenance

In particular, there are 3 software components:

  • Defense Forces & Public Security (DFPS) is a part of SAP ERP and provides additional functions required for defense and public security.
  • The SAP Mobile Defense & Security (SAP MDS) component is responsible for mobile functionality.
  • SAP Military Data Exchange (SAP MDE) provides off-the-shelf force management capabilities that enable interoperability with Command and Control Information Systems (CCIS) and NATO Functional Area Services (FAS).

This set of SAP Security Notes addresses 4 vulnerabilities in this module – 3 Missing authorization checks affecting DFPS and one update to a patch for SQL Injection in the same module. Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating.

The number of closed issues in the SAP Defense Forces & Public Security module totals 18, where the major part (15) were rated Medium priority, and the remaining were assessed at High priority.

It’s safe to assume that the vendor started to focus on this module’s security 6 months ago, as two-thirds of the Notes were released in this within this period of time – 3 in December 2016 and 9 in 2017.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Possibly Related Articles:
51599
Enterprise Security
SAP SAP Security Patch Day SAP Defense Forces & Public Security SAP GUI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.