SAP Security Patch Day September 2020: Critical Patches Published for SAP Marketing and SAP NetWeaver AS ABAP
Highlights of September SAP Security Notes analysis include:
- September Summary—20 new and updated SAP security patches released, including four HotNews Notes and two High Priority Notes
- Most Critical Patch for SAP Marketing—Vulnerability in Mobile Channel Servlet allows unauthenticated users to perform tasks related to contact and interaction data
- Code Injection Threat—Serious vulnerability in SAP NetWeaver AS ABAP/ABAP platform fixed
SAP has published 20 new and updated Security Notes on its September patch day. This number includes four HotNews Notes and two High Priority Notes. It’s important to keep in mind that our monthly analysis also includes SAP Security Notes that were published or updated by SAP between August and September Patch Days. Part of these additional notes is an update on SAP HotNews Note #2890213 [CVE-2020-6207] titled, “Missing Authentication Check in SAP Solution Manager” and scored with CVSS 10.0. The update contains only minor text changes that do not require any customer action. Nevertheless, it can be seen as a friendly reminder to check if you have already applied the patch since its first publication in March 2020. Details can be found here.
Another SAP HotNews note that was already updated at the end of August is SAP Security Note #2622660 which contains the newest version of SAP Business Client. This version includes Chromium 84.0.4147.105 which fixes one critical and 13 High Priority vulnerabilities in the browser software. The CVSS score of this recurring SAP Security Note remains 9.8 which represents the maximum CVSS score of all fixed vulnerabilities in SAP Business Client that were ever patched with this note.
In Focus: SAP Marketing Mobile Channel Servlet
The Mobile Channel Servlet is an integral part of the technical infrastructure that is required to realize mobile campaigns in SAP Marketing. Mobile campaigns provide offers and notifications that are sent as mobile push notifications to either Android or iOS devices. These mobile push notifications are routed via Google Firebase.
For inbound activities like user registrations, the mobile device needs to connect to the SAP Hybris Marketing Cloud system. Therefore, the SAP mobile SDK must be installed on the mobile devices and the Mobile Channel Servlet has to be deployed on SAP Cloud Platform:
SAP Security Note #2961991, tagged with a CVSS score of 9.6, patches a vulnerability in the Mobile Channel Servlet that allows an authenticated attacker to invoke certain functions that are restricted. An exploit of the vulnerability enables an attacker to perform tasks related to contact and interaction data. As a workaround, if applying the patch is not possible, customers can disable the servlet. A detailed description of how to disable the servlet can be found in SAP Security Note #2962970. Other valuable information is provided with SAP Security Note #2963056.
Code Injection Threat on ABAP Servers
The set of four HotNews notes is completed by SAP Security Note #2958563 and is tagged with a CVSS score of 9.1. This note provides a patch for a Code Injection vulnerability in the SAP NetWeaver AS ABAP and SAP ABAP Platforms, enabling an attacker to take complete control of the application, including viewing, changing or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the application causing it to terminate. Important to know:
- Only ABAP Servers on DB4 or Sybase are vulnerable
- The vulnerability scenario is not relevant to SAP ABAP for Cloud Environment and the described attack cannot be executed in SAP cloud products
Other Critical SAP Security Notes in September
Minor updates on two High Priority Notes were published.
SAP Security Note #2941667, tagged with a CVSS score of 8.3, was initially published on August Patch Day and describes another Code Injection vulnerability on ABAP servers. The update contains additional dependency information for SAP NetWeaver 7.0 and 7.01.
The second High Priority note, SAP Security Note #2912939, tagged with a CVSS score of 7.6, only contains textual changes to the “Solution” section and does not require any customer action.
Summary & Conclusions
SAP’s September Patch Day is a more calm one. Three of the six HotNews and High Priority notes only contain more or less negligible update information that does not require customer action (compared to the initial/previous version of the notes). The two HotNews notes #2961991 and #2958563 only affect a small number of SAP customers (SAP Marketing, SAP NetWeaver AS ABAP on DB4 or Sybase). That gives enough time to check the status of all relevant security patches in your SAP systems.
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.