SAP Patch Day: January 2023
HotNews for SAP NetWeaver AS ABAP May Require Fixes in Custom Code
Highlights of January SAP Security Notes analysis include:
- January Summary—12 new and updated SAP security patches released, including seven HotNews Notes
- All SAP customers affected by SAP HotNews Notes—Critical vulnerabilities patched for SAP AS ABAP and Java
- Onapsis Research Labs Contribution—Our team supported SAP in patching a CVSS 9.4 vulnerability in SAP AS Java
The new SAP Security year has started with 12 new and updated SAP Security Notes, including four new and three updated HotNews Notes.
The three updated HotNews Notes are comprised of SAP Security Notes #3267780 and #3273480 which were initially released by SAP in December 2022. They patch two Improper Access Control vulnerabilities in SAP NetWeaver AS Java that were detected by the Onapsis Research Labs. The updated notes provide patches for additional support package levels of SAP NW AS Java 7.50.
SAP Security Note #3243924, tagged with a CVSS score of 9.9, was the most critical patch of SAP’s November 2022 Patch Day and affected SAP BusinessObjects customers. The update contains an extension of the proposed workaround, and notes that two web pages are no longer accessible when applying the workaround.
The HotNews Notes in Detail
SAP Security Note #3089413 has the lowest CVSS score of all new HotNews Notes (CVSS 9.0) but it is possibly the most critical one of SAP’s January Patch Day, since it affects the majority of all SAP customers, and its mitigation is a challenge. A Capture-Replay vulnerability in the architecture of trusted-trusting RFC and HTTP communication scenarios allows malicious users to obtain illegitimate access to an SAP system. Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations. Both of the systems of a communication scenario need to be patched to mitigate the vulnerability.
The development team must be involved to adjust the code if dynamic destinations are used in custom code or if this code includes the generation of permanent or transient RFC destinations via SAP API, using trusted/trusting relationships.
The fact that SAP explicitly recommends a backup of the affected systems before patching indicates that customers must be aware of unforeseen problems during the patch and migration process. The note refers to a How-To-Guide in SAP Note #3281854 for the manual migration steps and to an FAQ list in SAP Note #3157268. Here, customers can find answers to important questions like:
- How can I reduce the attack surface?
- Are old trusted/trusting connections still working, after a system has the required kernel patch and ABAP SP level/ABAP patch installed?
- Do trusted/trusting relationships work during migration?
- What happens if only one side of a trusted/trusting relationship has applied the relevant correction instructions?
- How do I adjust affected custom code?
For SAP customers with questions not covered in the FAQ, we strongly recommend referring to the SAP Security Notes webcasts of the American SAP User Group(ASUG) and the Deutschsprachige SAP Anwender Gruppe (DSAG). Please refer to SAP’s Patch Day blog.
The set of the four new HotNews Notes is headed by two CVSS 9.9 vulnerabilities. SAP Security Note #3262810 patches a critical Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP). The vulnerability can be exploited by an authenticated attacker over the network and can cause a high impact on the confidentiality, integrity, and availability of the application. The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service.
SAP Security Note #3275391 patches the second CVSS 9.9 vulnerability. An exploit of this vulnerability allows an unauthenticated attacker to execute crafted database queries in SAP Business Planning and Consolidation Microsoft (SAP BPC MS). The crafted queries can include commands to read, modify, or delete arbitrary data from the backend database.
SAP Security Note #3268093, tagged with a CVSS score of 9.4, is a result of the continuous security research of the Onapsis Research Labs( ORL). After identifying the Messaging System and the User Defined Search in SAP NW AS Java as being vulnerable to improper access control (refer to the updated HotNews Notes #3267780 and #3273480), our ORL team recognized a similar problem in the rfcengine P4 service. The vulnerability allows an unauthenticated attacker to attach to an open interface of the service. They can then make use of an open naming and directory API to access services. This can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access for user data, to make modifications to user data, and to make particular services within the system unavailable.
Summary & Conclusions
At first glance, the year seems to start with a calm SAP Patch Day. With only nine new Security Notes, including four HotNews Notes, patching efforts seems to be manageable. However, HotNews Note #3089413 may affect a lot of SAP customers and the complexity of the mitigation suggests a lot of work, for SAP administrators and potentially for SAP development departments.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.