SAP Security Notes July 2013

Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great.

In July 2013, SAP released 34 security related OSS notes. Below the statistics:

  • 8 Notes are not rated with a CVSS code
  • 16 Notes are rated with a CVSS code between 3.5 to 5.0
  • 10 Notes are rated with a CVSS code of 6, none above

SAP Security Notes 07-2013

Below a few highlights from the July 2013 Security Notes. Keep up the good job and make sure your SAP systems are safe!

1823687 BC-SEC-LGN Potential information disclosure relating to user existence

Information such as the existence of users can be discovered using a failed logon attempt. Solution: Configure the ABAP server to reply all logon attempts which fail due to invalid or not validated credentials with an error message not disclosing any details regarding the failure reason. This information may be used by an attacker to further target system access by password logon.

1870605 BC-DB-HDB Privilege escalation in SAP HANA

The vulnerability is caused by a security problem in the program’s source code. An attacker who has specific information can log on to the system with high system privileges without having been assigned legitimate access by the system administrator(s).

1798286 SCM-BAS-EHS Potential modif./disclosure of persisted data in SCM

The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database, or to modify this data.

Revisiting old SAP Security notes!

Please read our blog about one of our most visited posts to prevent users to make changes to tables, such as master & transaction tables with SE16N! Have you implemented SAP Notes 1420281, 1473881 and 1446530 to mention a few? We have seen that a number of clients still have not implemented all notes, especially the one that allows to change/view data across clients with UASE16N! If you think your HR data is save by having the data on its own client, think again!

Edit SAP tables: Your SAP Security Admin’s nightmare: &sap_edit