SAP Security Notes July 2013

Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great.

In July 2013, SAP released 34 security related OSS notes. Below the statistics:

  • 8 Notes are not rated with a CVSS code
  • 16 Notes are rated with a CVSS code between 3.5 to 5.0
  • 10 Notes are rated with a CVSS code of 6, none above

SAP Security Notes 07-2013

Below a few highlights from the July 2013 Security Notes. Keep up the good job and make sure your SAP systems are safe!

1823687 BC-SEC-LGN Potential information disclosure relating to user existence

Information such as the existence of users can be discovered using a failed logon attempt. Solution: Configure the ABAP server to reply all logon attempts which fail due to invalid or not validated credentials with an error message not disclosing any details regarding the failure reason. This information may be used by an attacker to further target system access by password logon.

1870605 BC-DB-HDB Privilege escalation in SAP HANA

The vulnerability is caused by a security problem in the program’s source code. An attacker who has specific information can log on to the system with high system privileges without having been assigned legitimate access by the system administrator(s).

1798286 SCM-BAS-EHS Potential modif./disclosure of persisted data in SCM

The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database, or to modify this data.

Revisiting old SAP Security notes!

Please read our blog about one of our most visited posts to prevent users to make changes to tables, such as master & transaction tables with SE16N! Have you implemented SAP Notes 1420281, 1473881 and 1446530 to mention a few? We have seen that a number of clients still have not implemented all notes, especially the one that allows to change/view data across clients with UASE16N! If you think your HR data is save by having the data on its own client, think again!

Edit SAP tables: Your SAP Security Admin’s nightmare: &sap_edit

SAP Security Notes June 2013

Welcome to our first SAP Security Advisory Post. Depending on feedback, we will outline all SAP Security notes issued by SAP each following month and make these available to you. As you know, each SAP Security with vulnerabilities is generally rated with a Common Vulnerability Scoring System (CVSS V 2.0) code. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. SAP is adopting CVSS version 2.0.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

We will issue tips & tricks and additional Vulnerability issues in future Newsletters as well as what your organization can do to be prepared and informed about potential risks to your SAP infrastructure. Below the outline of all SAP Security notes issued in June 2013: Continue reading SAP Security Notes June 2013