Welcome to our first SAP Security Advisory Post. Depending on feedback, we will outline all SAP Security notes issued by SAP each following month and make these available to you. As you know, each SAP Security with vulnerabilities is generally rated with a Common Vulnerability Scoring System (CVSS V 2.0) code. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. SAP is adopting CVSS version 2.0.
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.
We will issue tips & tricks and additional Vulnerability issues in future Newsletters as well as what your organization can do to be prepared and informed about potential risks to your SAP infrastructure. Below the outline of all SAP Security notes issued in June 2013:In June 2013, SAP released 33 security related OSS notes. Below the statistics:
- 8 Notes are not rated with a CVSS score
- 11 Notes are rated with a CVSS score between 3.5 to 5.0
- 15 Notes are rated with a CVSS score of 6 and above
|Number||Short text||Released On||CVSS|
|1820777||Update 1 to SAP security note 1755108||24.06.2013||7.00|
|1838814||Unauthorized modification of stored content in cFolders||10.06.2013|
|1842218||Missing authorization check in PS||10.06.2013||6.00|
|1842406||Missing authorization check in in package SICM||10.06.2013||3.50|
|1843082||Missing authorization check in RSDUMPSOURCE||10.06.2013||4.00|
|1844202||SUIM| RSUSR002 User '…………' is not found||10.06.2013||4.60|
|1846952||Missing authorization check in BPC Web Services||10.06.2013||6.00|
|1847645||Missing authorization check in BC-BMT-WFM||10.06.2013||3.60|
|1848319||Missing authorization check in BC-ABA-TV||10.06.2013||6.00|
|1848996||Missing authorization check in BC-ILM-LCM||10.06.2013||6.00|
|1849559||Code injection vulnerability in BW-WHM-DST||10.06.2013||6.00|
|1849744||Missing authorization check in SAP_BASIS||10.06.2013|
|1851914||Potential remote code execution in EAServer||10.06.2013||10.00|
|1852064||Directory traversal in EAServer||10.06.2013||7.50|
|1853161||Privilege Escalation in ABAP Source Code Editor||10.06.2013||3.60|
|1853852||Missing authorization check in IS-B-BCA||10.06.2013||4.90|
|1858107||Potential disclosure of persisted data in EAServer||10.06.2013||7.80|
|1630309||Unauthorized modification in BSP application in CRM-IC-FRW||10.06.2013|
|1753737||Unauthorized modification of displayed content in BOE||10.06.2013||4.30|
|1774270||Update 1 to security note 1500050||10.06.2013|
|1774432||Missing authorization check in ST-PI||10.06.2013||4.60|
|1781594||Code injection vulnerability in component BC-SRV-ALV||10.06.2013||6.00|
|1805024||Missing authorization check in SAP profile functions||10.06.2013||6.80|
|1806098||Unauthorized Use of Application Functions in REST Interface||10.06.2013|
|1816331||Code injection vulnerability in BC-SRV-ALV||10.06.2013||6.00|
|1816989||Potential information disclosure relating to EPCM data bag||10.06.2013||5.00|
|1822847||Potential information disclosure in PI||10.06.2013||4.00|
|1826162||Update 1 to security note 1674132||10.06.2013|
|1831463||Potential modification of persisted data in upgrade tools||10.06.2013||4.90|
|1831985||Command injection vulnerability in SAP Netweaver IdM||10.06.2013|
|1834935||Missing authorization check in LO-GT-TEW||10.06.2013||6.00|
|1835666||Missing authorization check in PDS_MAINT||10.06.2013||6.00|
|1836717||Hard-coded profiles in BW-BEX-ET||10.06.2013||6.50|
The SAP note with the highest score is 1851914 Potential remote code execution in EAServer: This Note addresses the issue where an attacker can exploit EAServer to enable them to remote code execution, including viewing, changing, or deleting data. We advise you, if this note is of interest to you, to review the following 2 notes as well as these are also related to EAServer:
|1852064||Directory traversal in EAServer||please review|
|1858107||Potential disclosure of persisted data in EAServer||please review|
We recommend that companies review the high priority notes published on the SAP Service marketplace and apply these without delays after validating the impact to your business operations.
Below a few other notes that are worth to review as these are interesting and SAP puts a High Priority to have these notes applied to your system:
|Code injection vulnerability in component BC-SRV-ALV|
The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and authenticated user is required. Depending on the code, the user can: inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, perform a denial of service attack.
|Missing authorization check in SAP profile functions|
The functions of the SAP profile do not contain authorization checks for checking an authenticated user’s authorization to access some of its functions. This may result in undesired system behavior.
|Command injection vulnerability in SAP Netweaver IdM|
An end user can assign himself any business role or potentially also any privilege without that an approval is done. A valid and authenticated user is required.
|Hard-coded profiles in BW-BEX-ET|
The vulnerability is caused by a hard-coded profile in the program’s source code. An attacker who specifies these credentials can log on to the system without having been assigned legitimate access by the system administrator(s). If a user already has privileges with which they can log on, an escalation of privileges may be possible if the hard-coded account has higher access rights than the original user.
|Unauthorized Use of Application Functions in REST Interface|
The SAP NetWeaver Identity Management 7.2 REST interface with version identifier “v72alpha” executes certain functions by referencing specific URLs.
When an attacker tricks an authenticated user’s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the authenticated user. This applies to all modification operations provided by the REST interface.
The attacker may use a cross-site scripting attack to do this, or they may present a link to the victim.
Please leave your comments and/or discuss this post with others. Your expertise is highly appreciated!