SAP Security Notes 2017: Trends Towards Stability, What it Means For Your Security Strategy

Since its foundation, the Onapsis Research Labs have been actively helping SAP improve its security by analyzing threats and attack vectors affecting SAP applications. On the second Tuesday of each month the Onapsis Research Labs performs a detailed analysis of the latest SAP security notes to ensure that our products are further developed to continuously detect new vulnerabilities and we publish it to assist both our customers and the community in securing their SAP systems against latest threats.

Another year has passed and, ahead of meeting the first batch of 2018 patches next week, we decided to analyze all of SAP’s 2017 Security Notes. Here we cover different topics such as the total amount of security notes released in 2017, the amount of ‘Hot News’ security notes that were released and last, but not least, the type of vulnerabilities they exhibited.

Read our blog from earlier this year re-capping SAP’s 2016 Security Notes. 

2017 Overview
This year SAP released a total of 274 security notes. Compared to the 317 notes released in 2016 this is a minor decrease. 2017 was the year with the lowest number of SAP security notes released since 2009, in which only 131 security notes were released. The graph below depicts the number of patches published over the years:

2017-historicoverview

As shown in the graph, there’s a spike in 2008, right after Onapsis first presented on vulnerabilities found in RFC protocol implementation at the 2007 Black Hat Conference. Before that, SAP security was a ‘dark world’ and little information was available about vulnerabilities and mitigation information on the internet. This is why there was such a low quantity of security notes released up to that year. It is also interesting to highlight that in September of 2009, just prior to the exponential growth of SAP security notes in 2010, Onapsis was formally founded.

In order to summarize, sixteen years of SAP security notes can be easily grouped into four phases:

  1. The first eight years (2001 to 2007) marked the genesis of SAP Security, no more than 30 SAP security notes per year were published during this time.
  2. The following two years (2008 and 2009) there was an increase in the number of security patches, which surpassed the total number or security notes released in the previous stage.
  3. From 2010 to 2012 was the explosion stage. SAP published over a hundred security notes in 2009 and over 800 security notes in 2010. During these three years SAP published seven times more security notes than the previous nine years combined.
  4. Finally, the number of security notes published over the last five years has been more stable, averaging ~340 SAP security notes per year, without significant differences.

Top Vulnerability Types of the Year
A few surprises in this area. A few changes from last year. Cross-Site Scripting (XSS) appears as the most common vulnerability patched in SAP software in 2017 (22%). It moved from the second to the first place. XSS vulnerabilities has been of the most frequent types of vulnerabilities in the history of SAP Security Notes and this year was no exception.

Missing Authorization Check moves from the first to the second place (down from 21% to 18%). Despite these vulnerabilities being traditional in terms of quantity, none of these notes were tagged as ‘Hot News’ items this year. In fact, only six notes were tagged as ‘High Priority’, which represents only 12% of the total number of Missing Authorization Check notes.

Information Disclosure completes the podium with 10% of appearances. Since 2010, more than 30 SAP Security Notes per year are released concerning Information Disclosure vulnerabilities. With an exchange between first and second place, the top three most patched vulnerabilities remain the same between 2016 and 2017. Moving on to the following ones it is possible to see the differences.

2017- vulnerability types

Last year SAP put a lot of effort into publishing several SAP Security Notes for not so common vulnerabilities: Switchable Authorization Checks and Clickjacking. Based on the effort the company did last year, it makes sense that both types of bugs are not present in the top five in 2017, which is completed with Denial of Service (DoS) in the fourth place, with 27 security notes published (representing another 10%) and finally, SQL Injection with just 5% of the published notes.

Onapsis Research Labs Contribution
We have always worked with SAP to help them protect their customers and a large part of this job is to find vulnerabilities and responsibly report them to vendors in order to help them patch their products before attackers can abuse them. This year, 65 vulnerabilities reported by the Onapsis Research Labs were fixed by SAP (last year we reported 50). These patches were grouped into 30 SAP Security Notes, which were published with the following severity:

circle chart 2017

One of the two highest risk vulnerabilities, both tagged with CVSS v3 Base Score of 9.8, was reported by Onapsis Research Labs and is the only ‘Hot News’ that affects SAP HANA. This vulnerability is presented in the self-service component and allows an attacker to fully compromise an SAP HANA system without the need for credentials.

As a result of our proactive efforts, we have identified multiple vulnerabilities that could be leveraged by attackers to perform two critical attacks in SAP HANA, depending on the active services. These attacks consist of a full system compromise without any type of previous authentication. The patch was published as “Vulnerabilities in the user self-service tools of SAP HANA” in SAP Security Note #2424173.

We highly recommend implementing the security patches released by SAP as soon as possible, as this component (the self-service) may be enabled in the future. 

The last published ‘Hot News’ was also originally reported by our team late in 2016 and SAP re-released it in November last year in order to fix some usability issues when the previous version of the patch is installed. Congratulations to all our security researchers that have collaborated this year to continue working to identify and help eliminate security risks that may be endangering our customers’ businesses.

Conclusion: Consolidation time? What does it mean for me?
As we predicted last year in our SAP security notes 2016: A Year in Review, there was a trend about some kind of stability in terms of security in SAP software: the amount of released notes, types of vulnerabilities, criticality. Reviewing what happened during 2017, basically the numbers speak for themselves: this trends continues. We saw last year the lowest number of SAP security notes since 2009 and it is highly improbable we will see over 500 notes in a year in the near future.

What does this mean for corporate security? It is an opportunity. Stable numbers are not good news by themselves. No matter how many vulnerabilities are being patched, an attacker only needs one to perform a successful exploitation. In that sense, there are no security implications if a year has 50 more or 50 less vulnerabilities. Nevertheless, stability should be good for internal processes. It is easier to define a team, time allocation, priorities and processes, if you know what is coming. Stability is not good, per se. It is just an opportunity to better define SAP security inside your company, to make it quicker to patch and to reduce your risk of exposure.

From our perspective, we will keep working to discover vulnerabilities before attackers, working with SAP and vendors to quickly solve issues for the customers, adding detection capabilities to our products and helping our customers to improve the way they protect their business-critical applications. It is our mission to push the whole community to avoid risk in this kind of application and we strive to do that.

Download our 2017 SAP Security Notes infographic to quick review what happened in the year. And remember: stay tuned! The first patch Tuesday of 2018 is coming up next week and we will publish details and our analysis here.