SAP Security Notes Jan ‘18: a Code Injection Correction and What Steps to Take

Today we kick off a new year of SAP’s monthly released security notes. Like we have done in previous years, in 2018 we will be eagerly going through the notes published by SAP every second Tuesday of the month and incorporating the knowledge into the Onapsis Security Platform (OSP). This month we start off moderately; today SAP published eight Security Notes, six of which were actual new notes released and the other two re-releases from notes going back as far as 2014. The Onapsis Research Labs reported 50% of the six new notes published today.

An interesting fact is that in the past year SAP has become an official CVE authority. As a consequence, SAP will be required to continue to publish their security notes mentioning CVE numbers in the note titles. Links are provided in the note bodies too. This is helpful to easily cross-reference SAP notes to other resources on the internet. 

In the following sections we will be discussing half of the new notes published today, namely those found and reported by the Onapsis Research team.

Code Injection Vulnerability in CALL_BROWSER
SAP Security Note #2525392 is one of the six new notes published today. It was released after the Onapsis Research Labs reported it a few weeks before. This new note, identified with CVE-2018-2363, is the second update for SAP Security Note #1906212, which was originally published in 2014.

The new note is tagged as a medium priority note with CVSS v3 Base Score: 6.5 / 10 with the following vector: 

  • Attack Vector: Network        Scope: Changed
  • Attack Complexity: Low       Impact to Confidentiality: Low
  • Privileges Required: Low      Impact to Integrity: Low
  • User Interaction: Required   Impact to Availability: Low

Despite the fact that it is a medium priority note, once an attacker has the chance to execute local commands, it could lead to a post exploitation phase, where privilege escalation attacks can be performed, converting the impact of Confidentiality, Integrity and Availability from Low to High. In any case, where there is a vulnerability that involves code execution, it is crucial to treat it with high priority. Based on the fact that there are no notes with higher CVSS this month, we highly recommend to patch this bug as a priority.

Why are there three different notes for the same vulnerability? It is not the first time a bug has been patched by several notes, where updates are being made in order to improve detection or correct things from the past. Here is what happened in this case.

In the first publication, SAP identified a component in Knowledge Provider where an attacker could execute arbitrary program code. As SAP mentioned in its original release, “a malicious user can therefore control the behavior of the system or can potentially escalate privileges by executing malicious code without legitimate own credentials.” In this original release, SAP deleted several functions that could be exploited.

Last year, in February 2017, SAP published Security Note #2278931, where they added parameter sanitization, since the attack was still possible with the original patch. Since it sanitized the input, with this new patch it was assumed that an attacker could not perform a code injection attack anymore.

Nevertheless, Onapsis researcher Matias Sena found that the implemented sanitization was still vulnerable, since an attacker could exploit the bug by using a specific attack scenario, where the attacker has better control of the filenames that can be executed.

So finally, today, SAP released a new note that is the second update to the original one and completely changes the way it sanitizes user input, so as to avoid not only the original scenario, but also the attack vector that was discovered by our Research Labs team.

In summary, all the notes this month have previous ones as prerequisites and should be implemented cumulatively, through individual applications or SP installations. 

What happens if you don’t install all the notes, but you’ve already installed the older ones? If you only install the original note, your risk is higher since the second one adds sanitization. If you have the two previous notes installed, but you still need to install the new one, you are protected to all but one attack vector. Despite the fact that this reduces the risk and is worth being mentioned, remember an attacker only needs one vulnerability to succeed, so we highly recommend not to delay implementation that, by the way, is easier if you already have the previous one installed (since it is a prerequisite to install the new packages).

Today, SAP not only published the new SAP Security Note #2525392, but also re-published the two previous ones, updating both with the link to the new note and new CVSS vector.

Other Notes Reported by Onapsis Research Labs
In last month’s blog post we spoke about a vulnerability found by Onapsis researchers Andres Blanco and Nahuel Sanchez, in which an attacker could exploit a URL redirection vulnerability in the SAP startup service. This month SAP released a couple of other notes reported by the aforementioned researchers concerning this service.

Missing Authentication Check in Startup Service
The SAP startup service provides functions for starting, stopping and monitoring SAP systems, instances and processes. The service runs as sapstartsrv. The online SAP documentation provides some additional details. Here we see a number of logical diagrams visualizing how different SAP components revolve around the service sapstartsrv. The service itself publishes a web service, which simply means the service opens itself up to be interacted with through the web. Communication with the web service is done by sending it Simple Object Access Protocol (SOAP) requests. The SOAP protocol is basically a way of formulating messages in a way the web service understands.

Exposing a web service through the network or the internet provides a possible entrance for an attacker if the appropriate security measures are missing. In the case of SAP note #2520995, reported by the Onapsis Research team, attackers could assemble their own specially crafted SOAP messages and send them to the SAP startup service. Because of a missing authentication check on the SAP server side, this would unintentionally allow the unauthenticated attacker to consume unlimited file system storage. This could additionally lead to the exhaustion of server CPU and memory resources.

Information Disclosure in Startup Service in SAP HANA
A note with the above title and number #2575750 was posted by SAP today, resulting from additional research done by Onapsis on the SAP startup service. The note concerns systems running the SAP HANA database.

This vulnerability allows an attacker to again send a SOAP request to the web service, after which the SAP server responds with information about the system. The information disclosed in the response could assist the attacker in planning a next step and is therefore considered a hazard from an information security perspective.

The solution to fix the vulnerability is not offered in the form of a software package or patch. Instead, multiple useful resources for increasing the security of sapstartsrv are mentioned in the note. The first reference directs you to note #1439348, titled “Extended Security Settings for Sapstartsrv.” In this note, a distinction is made between so-called protected and unprotected web service methods. 

We read, “The default setting is set so that all methods that change the status of the instance or the system when called are protected (for example, start/stop/restart).” A bit further on we read, “Many unprotected methods offer the option to query information about the system configuration or the status.” The note then instructs how to harden the system to restrict access to these unprotected web service methods. 

Other instructions to increase the security level of the SAP startup service are referred to in the note. We wholeheartedly advise you to give them a good read through and decide whether your case allows you to restrict access without interrupting operation.

A new year has begun and we will keep covering SAP Security Notes through a monthly report here in the blogpost. In case you didn’t see it yet, we published a summary of 2017 SAP Security Notes a few days ago. This month, Nahuel Sanchez, Andres Blanco and Matias Sena, from our Research Labs, have been acknowledged by SAP on their webpage for their collaboration to keep improving SAP securityWe are also working on updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements.