SAP Security Notes November 2017: Don't Get Too Comfortable, Hot News is Back

Today SAP has released another batch of its security notes, a regular event which happens every second Tuesday of the month. The total number of notes this month is 32, of which 18 have been released today. The other 14 notes have been released in the course of the past month. Those notes generally concerned re-releases. 

After almost half a year we are finally seeing Hot News notes reappearing. Three in total, for this month. One of these Hot News notes was reported by Onapsis security researcher Pablo Artuso. More on the surfacing of Hot News notes later. 

Two of the notes for this month are of a high severity, one of low severity. Like always, the remaining majority of notes have medium severity.

Distribution by Vulnerability Type

Every so often, the Onapsis research team gathers forces to hunt for bugs in one specific area of technology for a prolonged time. The same has been done for SAP HANA 2 shortly after its release in November last year. More than a few bugs have been found, which is why we have dedicated the last section of this blog post to a discussion of HANA 2 vulnerabilities. A vulnerability found during this Onapsis HANA 2 bug hunting effort has been published by SAP this month (#2493171). The bug was found and reported to SAP by Onapsis researcher Nahuel Sanchez. It should be noted that the vulnerability affects a broader range of SAP components than just HANA 2. However, in the last section of this blog post we are taking the note as an opportunity to discuss HANA 2 and its vulnerabilities in a bit more detail.

Hot News is Back
After a dry spell of six months, in which no Hot News notes surfaced, we are seeing the release of three notes of this severity this month. In our September blog post, we discussed the significance of the absence of this type of notes. We concluded that it could very well mean that SAP security is maturing; nevertheless, we cannot simply rest in complacency. 

The streak of absence of Hot News notes has now ended; however, these new Hot News notes all concern re-releases of earlier notes. One of the re-released Hot News notes (#2371726) was reported by the Onapsis research team last year. It concerns a code injection vulnerability with a CVSS v3 score of 9.1 and has now been updated with some additional correction instructions. 

A peculiarity in the reappearance of the two other Hot News notes is that they have received a raised severity level from the perspective of SAP. In fact, they used to be high-priority notes and have now been transformed to Hot News notes. The two mentioned notes, now Hot News, are the following:

  • Disclosure of Information/Elevation of Privileges LVM 2.1 and LaMa 3.0 (#2531241), Disclosure of Information/Elevation of Privileges LaMa 3.0 (#2520772): The two notes above can essentially be mentioned in one breath, since the type of the vulnerabilities found is the same. SAP Landscape Management (LaMa) is the new name for the SAP product once called Landscape Virtualization Management (LVM). LaMa is a management tool that enables the SAP basis administrator to automate SAP system operations. LaMa requires passwords of managed systems for operation. During operation relevant data is required for restarting a process for recovery reasons. Confidential data is therefore stored in Netweaver Java Secure Store. This data, which should not be able to be read, can be accessed by an attacker under certain conditions.
    CVSS v3 Base Score: 9.1 / 10

Previously these notes had no CVSS v3 scoring assigned, but were however deemed high-priority notes by SAP. This month the CVSS v3 scores have been added; both score 9.1 / 10. That means they should definitely fall into the Hot News category, and so they do. 

Apart from a fulfilled CVSS v3 score, the notes do have altered manual activities, but the reason for the upgraded severity is not clear at a glance. Could SAP have discovered the vulnerabilities were more far reaching than previously esteemed? Definitely complacency is a vice of which all parties in the industry should be careful.

The SAP HANA 2 Greenfield
SAP HANA 2 was released in November 2016 and is a continuation of its forerunner, SAP HANA which has existed since May 2013. SAP, the product, is heavily database reliant and SAP, the company, has already shown considerable investments in improving their database technologies through a number of different developments and acquirements. 

Their efforts resulted in SAP HANA (high-performance analytic appliance), an in-memory (RAM) database which enables it to process massive amounts of data fast. According to SAP, “SAP HANA removes the burden of maintaining separate legacy systems and siloed data, so you can run live and make better business decisions in the new digital economy.”

In the meantime, SAP HANA has been succeeded by its next generation platform: SAP HANA 2. HANA 2 promises to deliver “…new functionalities for database management, data management, analytical intelligence, and application development.” An upgrade from HANA to HANA 2 should be straightforward, which basically indicates the new platform is not a complete decomposition and overhaul of the previous version. Rather, it is a continuation of the previous line.

As with every new software version or platform, it opens up a greenfield of vulnerabilities to be explored and, in the case of malicious intent, exploited. Companies deciding to be first in line as early adopters risk trading off the luxury of new features with an added risk of exposure.  

At Onapsis we have acknowledged the existence of zero days in HANA 2 from its first days and have mobilized all efforts to beat the ‘blackhats‘ to it. Shortly after the release of HANA 2, a team of Onapsis security researchers dedicated their time 100% to finding bugs specifically in the HANA 2 platform. This led to dozens of bugs being found, covering the whole spectrum of vulnerabilities and CVSS v3 scores. 

A total of nine SAP notes concerning HANA 2 vulnerabilities have been published by SAP in the meantime. Not all of these notes necessarily target HANA 2, but they all do apply to HANA 2 amongst other components at a minimum. Of the total of the nine notes, Onapsis was responsible for reporting a majority of six. Two of the notes reported by Onapsis were of a high severity (#2442993 and #2429069). 

Reported SAP Notes Relating to HANA 2

This month too, SAP has published and confirmed a vulnerability found during our concentrated research efforts on HANA 2. It must, however, again be noted that the vulnerability not only affects HANA 2, but other components as well. SAP note #2493171 titled, “Information Disclosure in SAP NetWeaver Instance Agent Service” contains the relevant information.

Our consistent efforts in finding bugs in HANA 2 continue. But of course, there is more to investigate than just HANA 2. Our security research team is dedicated to protect your systems against the complete range of risks: from the greenfield zero days to legacy component vulnerabilities.

Onapsis Research Labs is already in the process of updating our product, the Onapsis Security Platform, to incorporate all newly published vulnerabilities. Stay tuned for more information about SAP Security and do not hesitate to reach out to us with if you have further questions about how to protect against the attacks of this month.