SAP Security Patch Day November 2020: SAP Solution Manager Affected Again by Two Serious Vulnerabilities
Highlights of November SAP Security Notes analysis include:
- November Summary—19 new and updated SAP security patches released, including six HotNews Notes and three High Priority notes
- Contribution of the Onapsis Research Labs—The Onapsis Research Labs supported SAP in patching two HotNews and two Medium Priority notes, covering five vulnerabilities in total
- Critical Chromium Update—CVSS score of the periodically recurring SAP Security Note #2622660, reflecting the all-time high, was set from 9.8 to 10
SAP has published 19 new and updated Security Notes on its November Patch Day. This number includes six HotNews notes and three High Priority notes.
SAP Solution Manager (SolMan) remains the focus of this month’s SAP Patch Day, in which SAP has patched two vulnerabilities for this major technical component that is present in each customer’s system landscape—both rated with a CVSS score of 10. While updates of existing notes often contain only some minor extensions and corrections to a note’s text, SAP Security Note #2890213 demonstrates that they can also include additional patches on newly detected vulnerabilities. And, as if two critical patches weren’t enough, among other SAP applications, SAP SolMan is also affected by a Privilege Escalation Vulnerability in SAP NetWeaver Application Server Java.
Another remarkable aspect of SAP’s November Patch Day is the fact that the periodically recurring SAP Security Note for SAP Business Client #2622660 is now tagged with a CVSS score of 10.
More details and a summary of all critical SAP Security Notes can be found in the below sections.
In Focus: SAP Solution Manager
After contributing to SAP by fixing multiple critical issues in the LM-Service in the past, the Onapsis Research Labs detected another issue with that service affecting Support Package 11 Patch level 2 of the SOLMANDIAG 720 software component. The vulnerability allowed remote authenticated attackers to execute arbitrary commands in the connected SMDAgents. The corresponding patch was now released with an update of SAP Security Note #2890213 titled, “[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager” and tagged with the highest possible CVSS score of 10.
SAP Security Note #2985866 is also tagged with a CVSS score of 10 and fixes other Missing Authentication issues in the LM-Service software component. These issues have a negative impact to the integrity and availability of this service as well as of four dependent services.
Last but not least, the set of HotNews notes affecting SAP SolMan also includes HotNews SAP Security Note #2979062, tagged with a CVSS score of 9.1. The Onapsis Research Labs detected this issue some weeks ago and helped SAP in patching the vulnerability. The patch fixes a bug in SAP NetWeaver Application Server Java which allows authenticated users in SAP to escalate to OS commands in the vulnerable system, and therefore lead to a full compromise of every service and piece of information running on top of it. The note fixes the segregation between the OS and the JAVA NetWeaver Web Interface, which is crucial and should be highly isolated. SAP NetWeaver AS Java administrators shouldn’t have access to the OS of the SAP system. SAP NetWeaver AS Java acts as a foundational layer for several products of SAP, such as Solution Manager, SAP Portal, SAP PI/PO and others.
Further Contribution From the Onapsis Research Labs
Onapsis researcher Gaston Traberg detected multiple vulnerabilities in SAP Commerce Cloud that were also fixed by SAP on this November Patch Day.
High Priority note #2975170 patches a Denial of Service vulnerability, tagged with a CVSS score of 7.5, and a Server-Side Request Forgery vulnerability that is tagged with a CVSS score of 5.3. Both vulnerabilities allow an unauthenticated attacker to submit a specially crafted request over the network to a particular SAP Commerce module URL which will be processed without further interaction. While an exploit of the first vulnerability can lead to complete unavailability of the SAP Commerce service, exploiting the second one only results in obtaining access to limited information about the service.
High Priority note #2975189, also tagged with a CVSS score of 7.5, addresses an Information Disclosure vulnerability in SAP Commerce Cloud. An attacker can bypass existing authentication and permission checks via a special endpoint in SAP Commerce, hence gaining access to Secure Media folders. These folders could contain sensitive files that result in disclosure of sensitive information and impact system configuration confidentiality.
Other Critical SAP Security Notes in November
On an average bi-monthly frequency, SAP releases updates for HotNews SAP Security Note #2622660, providing a new update of the Chromium version that is shipped with SAP Business Client patch. The related CVSS score is always based on the all-time high of all fixed vulnerabilities. While this value didn’t change for more than a year, it has increased now with the newest patch from 9.8 to 10. The increase seems to be caused by a critical flaw (CVE-2020-15967) in Chrome’s payments component. Following Google’s information, the flaw is a use-after-free vulnerability. Use-after-free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause various malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code. Checking all three references for the latest Chromium update, use-after-free vulnerabilities represent more than 30% of all vulnerabilities—most of them rated as High Priority.
HotNews SAP Security Note #2982840 fixes a Remote Code Execution vulnerability (CVSS 9.8) and a Denial of Service vulnerability (CVSS 7.5) in SAP Data Services. An insufficient input validation allows an unauthenticated attacker to send malicious requests that could result in remote code execution and thus, a complete compromise of system confidentiality, integrity and availability.
The second vulnerability allows an unauthenticated attacker to override access permissions which can completely compromise the availability of the service.
HotNews SAP Security Note #2928635, patching a Cross-Site Scripting vulnerability in SAP NetWeaver Knowledge Management and tagged with a CVSS score of 9, was originally released in August 2020. It contains updated correction information for NetWeaver 7.50 SP12.
High Priority SAP Security Note #2984627 patches a Server-Side Request Forgery vulnerability and a Reflected Cross-Site Scripting vulnerability in SAP Fiori Launchpad News Tile Application. The first one is tagged with a CVSS score of 8.6 and allows unauthorized attackers to access confidential data on internal systems behind firewalls. An insufficient encoding of user controlled input allows an exploit of the second vulnerability. An attacker could send malicious code to another end user and can thus gain information that is maintained in this end user’s browser.
Summary & Conclusions
With 19 SAP Security Notes since SAP’s last Patch Day, including six HotNews notes and three High Priority notes, this month is above average when looking at the number of critical notes. We have once more seen that Solution Manager will keep security administrators busy, because of its central role in the system landscape and the criticality of the newly detected vulnerabilities. Onapsis recommends that the released patches are applied as soon as possible.
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about recent vulnerabilities in SAP Solution Manager and the Onapsis Research Labs is helping SAP patch them, download our latest SAP Security In-depth publication, “Preventing Cyberattacks Against SAP Solution Manager.”