SAP this week released another set of monthly security updates to address various issues in its products, including five vulnerabilities in SAP HANA, one of which was rated Hot News.
The March 2017 SAP Security Patch Day includes 25 security notes, SAP announced. Additionally, there were two updates to previously released security notes, for a total of 27 SAP Security Notes released this month. One Security Note has a Very High priority rating, while other 7 were rated High severity.
According to ERPScan, a company that specializes in securing SAP and Oracle applications, the patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes), with 4 of the Notes released after the second Tuesday of the previous month, and 7 Notes being updates to previously released Security Notes.
The most important of the issues addressed this month was a Missing Authorization Check vulnerability in the SAP HANA User Self-Service. With a CVSS score of 9.8 (Very High), this critical bug could allow an attacker to take control of the affected system, SAP’s Holger Mack reveals.
The Self Service tool for SAP HANA provides the option to activate features such as password change, forgotten password reset, or user self-registration. The Hot News vulnerability could allow an unauthenticated attacker to impersonate other users, even those of high privileged accounts, security technology firm Onapsis explains. The attacker could take full control of the SAP HANA platform remotely.
According to SAP, however, the issue only affects customers who enabled the optional User Self Service component (it is disabled by default) and exposed it to an untrusted network. “The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure),” Mack says.
With a CVSS score of 8.8 (High risk), the second most important flaw addressed this month (also discovered by Onapsis) was affecting SAP HANA as well: a session fixation vulnerability in SAP HANA extended application services, classic model. By exploiting it, an authenticated attacker could predict valid session IDs for concurrent users that are logged on to the system.
The remaining three vulnerabilities in SAP HANA were also found by Onapsis: two SQL Injection vulnerabilities with a CVSSv3 Base Score of 2.7, and an information disclosure in SAP HANA Cockpit for offline administration, with a CVSSv3 Base Score of 4.9.
“The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan). There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia,” Alexander Polyakov, CTO at ERPScan, says.
In addition to the aforementioned bug in SAP HANA, the High risk flaws patched this month include a Remote Code Execution (RCE) vulnerability in SAP GUI for Windows, Denial of service (DOS) in Visual Composer, Denial of service (DOS) in SAP Netweaver Dynpro Engine, Improved security for HTTP URL outgoing connections in SAP Netweaver, and an update to a previous Security Note.
The RCE (CVSS Base Score: 8.0) and two DOS flaws (CVSS Base Score: 7.5 each) were found by ERPScan, along with a Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal (CVSS Base Score: 6.1) and a Denial of service vulnerability in SAP Java Script Engine (CVSS Base Score: 2.7).
A total of 11 XSS flaws were addressed this month, along with 7 missing authorization checks, 5 DOS issues, 4 SQL Injection vulnerabilities, 3 Information disclosure bugs, 2 Implementation flaws, 1 RCE, 1 XML external entity, and 1 session fixation.