SAP Notes March Review: FAQ about High Priority Notes

We are just a few days away from the release of SAP’s April Security Notes. Since this past month included some of the most critical notes we have seen to date for SAP, we’d like to review a few things we saw in March to ensure we have everything fully covered before heading into April. It was an interesting month for SAP Security, as findings from our Researchers yielded the second ‘Hot News’ note to date for 2017. In addition however, there were some other important vulnerabilities published in March that were tagged as ‘High Priority’ and should be mitigated if present in SAP systems.

If you would like more information about last month’s critical vulnerability, SAP HANA User-Self Service, check our March blogpost.

Now, we will focus on the other two SAP notes so you can have a deeper understanding of them.

Remote Code Execution Vulnerability in SAP GUI for Windows

This bug was solved in SAP Security Note 2407616. Below, I have outlined the steps an attacker would need to follow in order to successfully exploit this vulnerability:

  • 1.) Before an attacker can exploit this specific vulnerability, he would needs to exploit another vulnerability in the SAP server which allows him to upload a new transaction/report. This will most likely be a specific bug that will allow an attacker this kind of activity.
  • 2.) If step 1 is fulfilled, the newly created transaction will then exploit a vulnerability in the client’s SAP GUI, where the exploitation takes place.
  • 3.) When the end user tries to log into SAP GUI, the attacker’s code stored in the remote, newly created, transaction/report will be executed in the end user’s machine.

As stated, despite that if the remote command execution bug is present (and possible), an attackers first needs to have access to the SAP Server with permissions to create new transactions. Because of this, the attack is restricted to SAP Admins, privileged users, or attackers that have already exploited another bug in the server.

On the other hand, once an attacker has access to the server, it’s not necessarily the smartest thing for him to then exploit endpoints (through SAP GUI), as they will already have access to your most critical server! So, it would probably be more dangerous for the organization if the attacker executes payloads or other commands in the server compared to this attack through the SAP GUI.

In addition to updating all SAP GUI files in order to patch this bug, it is highly recommended that you also update your servers, and monitor for any attack on your SAP infrastructure in order to avoid attackers gaining the access they need to start this attack.

Some other companies have also asked us about the possibility of being infected by ransomware through this attack. There is a chance of this, but it is as possible as being infected with any other malware. Additionally, it is possible to be infected by any other bug that allows an attacker to execute arbitrary code. In other words, there is no specific relation between this attack and ransomware, it is just an example of how this vulnerability could be exploited.

Missing XML Validation Vulnerability in Web-Survey

Another high priority note from March is SAP Security Note 2308217. This note is related to the inbound email processing functionality of SAP systems, and could allow attackers to perform a denial-of-service (DoS) attack in successful exploitations.

This bug is present due to insufficient validation of XML documents, and as mentioned, would impact information availability. Researchers that discovered the bug said that approximately half of SAP customers have this feature enabled, so if you have inbound mail capabilities enabled on your SAP systems, an attacker could execute this attack, but ONLY by sending a specific email.

You can secure your infrastructure by installing the specific note. Once installed, it won’t be possible for an attacker to exploit this bug.

Conclusion

As previously mentioned, the Session Fixation Vulnerability (CVSS 8.8) and SAP HANA User Self Service vulnerabilities (CVSS 9.8) were the most relevant SAP Notes to patch in March. If you haven’t yet done so, it is critical to make this a priority if you are an SAP HANA user. CVSS is a standard score used to describe how risky a specific bug it is, so its rating is an accurate way to know how risky a bug is. The two bugs described in this blogpost have lower CVSS (8.0 and 7.5 respectively).

Nevertheless, any ‘High Risk’ vulnerability should be prioritized and treated carefully in order to mitigate any potential threat to your SAP systems as soon as possible. Unfortunately, there’s a Proof of Concept currently available for one of these bugs, raising the probability of it being exploited by an attacker. We would like to stress that bugs reported by our Researchers never have technical details 90 days before the release of a note as we believe in responsibly disclosing information to our customers, and the market.

Stay tuned for our next blog which will be available next Tuesday, April 11th, 2017.