SAP Security Notes October 2017: Sensitive Data Exposed

Since it is the second tuesday of the month, SAP has again published a new set of notes to patch vulnerabilities found in its software. Over the course of the month, counting from the last patch tuesday, a total of 30 new notes were published. Today, half of those notes were posted. 

This month, five notes are of high priority, four of low priority and the remaining notes are of medium priority. No new hot news notes were reported, which continues the trend we wrote about last month, when we discussed what the absence of hot news notes might signify

This month the types of vulnerabilities reported are a mixed bag, affecting several products in a range of different ways. For instance, we see high priority notes concerning DDoS possibilities, escalation of privileges and directory traversal in products like SAP Standalone Enqueue Server, SAP Landscape Management and SAP NetWeaver AS Java Web Container, respectively. More about those high priority notes later in this post. 

Four vulnerabilities found by Onapsis were patched and published by SAP this month. These notes will be discussed later in the post. Two of the issues found are related to SAP For Defense, about which we wrote in our January blog post.

Out of the 30 notes, eight were re-released with changes, after having been published before. Notes #2264948 and #2264949 deserve some attention, since the changes published by SAP concerning manual activities are considerable. SAP Security Note #2528596, which concerns SAP Point of Sale, was discussed in our blog post last month and has been re-released with some minor software validity information.

High-Priority SAP Notes

Below you will find an overview of the notes with high priority. The note with the highest CVSS v3 score is mentioned first, but is a re-release with updated support package information.  The last two notes, mentioned in tandem, require multiple manual steps and should therefore be regarded thoroughly.

  • Directory Traversal Vulnerability in SAP NetWeaver AS Java Web Container (#2486657): This note is one of the re-releases mentioned before, and was already discussed in our August blog post. These types of attacks always affect the confidentiality of information, since it allows an attacker to read arbitrary files that shouldn’t be accessed. Its high impact on confidentiality makes its CVSS score the highest again of this month. It is not critical however, since there is no impact on availability or integrity and an attack should be performed with privileges. AS Java Web Container without proper validation of path information could have an impact due to an attacker reading content of arbitrary files on the remote server, exposing sensitive data.

CVSS v3 Base Score: 7.7 / 10

  • Potential Denial of Service Vulnerability in SAP Standalone Enqueue Server (#2476937): The Standalone Enqueue Server makes an enqueue function available to AS ABAP and AS Java instances. The Enqueue Server provides a locking service and locking clients (the application servers) communicate directly with this server through TCP. The Enqueue Server holds critical data in the lock table in the main memory: all locks that are currently held by users. This vulnerability allows an attacker to remotely exploit the Enqueue server, making its resources unavailable. Data on that server then could be lost and cannot be restored even when the Enqueue Server is restarted. All transactions that have held locks therefore would have to be reset.

CVSS v3 Base Score: 7.5 / 10

  • Disclosure of Information/Elevation of Privileges LVM 2.1 and LaMa 3.0 (#2531241), Disclosure of Information/Elevation of Privileges LaMa 3.0 (#2520772): The two notes above can essentially be mentioned in one breath, since the type of the vulnerabilities found is the same. SAP Landscape Management (LaMa) is the changed name for the SAP product once called Landscape Virtualization Management (LVM). LaMa is a management tool that enables the SAP basis administrator to automate SAP system operations. LaMa requires passwords of managed systems for operation. During operation relevant data is required for restarting a process for recovery reasons. Confidential data is therefore stored in Netweaver Java Secure Store. This data, which should not be able to be read, can be accessed by an attacker under certain conditions. 

Onapsis Research

This month a total of four vulnerabilities reported by Onapsis were patched. Of these bugs, three were of a low priority and one of medium priority. They are discussed below.

The first three vulnerabilities mentioned are related in a number of ways. They are all of the information disclosure type. And in all three cases Onapsis researchers found sensitive data being stored in the local directory of the SAP Netweaver Mobile Client with varying degrees of exposure. 

  • Information Disclosure in SAP NetWeaver Mobile Client (#2532802): In this first case database password information was getting saved in plaintext in the local directory, thus making it possible to access the local database. Code changes have been made by SAP to encrypt and store the database password in the Windows Certificate tool. The plain text which was getting stored in the ‘‘ file is no longer present.
  • Information Disclosure vulnerability in SAP NetWeaver Mobile Client (#2510269): In this note the local directory stored the ‘truststore‘ key file, which could then be decrypted and used to manipulate custom certificates. Code changes have been made to adapt to a more secure encryption method. The ‘truststore‘ master key is no longer stored in the local directory of the SAP NetWeaver Mobile Client.
  • Information Disclosure in SAP NetWeaver Mobile Client (#2528284): The user credentials were stored in a file with a weak encryption under the local directory. The encryption could be easily reversed and manipulated. Stronger encryption has been introduced by SAP by removing the credentials file and using the Windows Certificate store instead. 

An additional vulnerability of medium priority was found in the ‘sapstartsrv‘ service.

  • Information Disclosure in SAP NetWeaver Instance Agent Service (#2504129): A remote unauthenticated attacker could send a specially crafted SOAP request to SAP ‘sapstartsrv‘ and disclose information about all the JAVA applications and services currently installed and disclose its current status. SAP patched this bug by enforcing correction authentication. The SAP note also mentions a workaround as a temporary solution.

As usual, our researchers, who help SAP improve their security, are properly acknowledged for their work on the SAP Webpage this month. Onapsis Research Labs is already in the process of updating our product, the Onapsis Security Platform, to incorporate these newly published vulnerabilities. Stay tuned for more information about SAP Security and do not hesitate to reach out to us with if you have further questions about how to protect against the attacks of this month.