SAP Security Patch Day: October 2022
Highlights of October SAP Security Notes analysis include:
- October Summary – 23 new and updated SAP security patches released, including two HotNews Notes and six High Priority Notes
- Two HotNews Notes with CVSS score close to 10 – CVSS 9.9 vulnerability in SAP Manufacturing Execution and CVSS 9.6 issue in SAP Commerce
- Large To Do List for SAP BO Customers – SAP Business Objects affected by eight new and updated SAP Security Notes, including three High Priority Notes
SAP has published 23 new and updated Security Notes in its October Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and six High Priority Notes.
SAP Manufacturing Execution HotNews Note
SAP Security Note #3242933, tagged with a CVSS score of 9.9, patches a very critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins:
- Work Instruction Viewer (WI500)
- Visual Test and Repair (MODEL_VIEWER)
These are used for displaying all types of work instructions and models.
The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service. The patch comes with a code correction that handles the path internally. It prevents the ability to be provided dynamically as a request parameter. The CVSS score of 9.9 is based on the fact that the impact on confidentiality, integrity, and availability can be high, depending on the kind of information that can be accessed during an attack.
As a temporary workaround, SAP recommends removing any sensitive information from the file systems that are accessible to the OS user, and restricting access to any unneeded file paths for this user.
Since the identification of sensitive information can be complex, the workaround can only minimize the risk. Affected customers should therefore apply the patch as soon as possible. However, restricting access to sensitive information is always recommended, independent of any existing vulnerability in the application.
SAP Commerce HotNews Note
The second HotNews Note is SAP Security Note #3239152, tagged with a CVSS score of 9.6. This note patches an Account Hijacking vulnerability in the SAP Commerce login page. The login page contains multiple URLs that are called when the login form is submitted. These URLs were not properly sanitized by SAP and they could be changed by manipulating the URL used to call the login form. Attackers were able to inject redirect information into the login page’s URLs, causing the login page to redirect sensitive information such as login credentials to an arbitrary server on the Internet. Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users.
SAP provides two workaround options: The first option recommends disabling the affected OAuth extension. This sounds like an easy solution but there is a warning included since many other SAP Commerce extensions, as well as integrations with other systems, may rely on the OAuth extension.
The second workaround option recommends to filter malicious HTTP requests via Website Redirect directives. The note lists two directives that cause SAP Commerce not to process manipulated requests and respond with an HTTP response status code 404 instead.
However, since there is no guarantee that the directives cover all possible situations, it is strongly recommended to apply the patch. The patch fixes this vulnerability by sanitizing URL paths and by outputting HTML encoded URLs into the affected OAuth login page.
SAP Business Object Vulnerabilities
SAP Business Objects (BO) is affected by eight new and updated SAP Security Notes, including three High Priority Notes.
The eight notes patch five Information Disclosure vulnerabilities and three Cross-Site Scripting vulnerabilities.
An analysis of the required support package patch levels shows that the following patch levels fix seven of these vulnerabilities:
- SBOP BI PLATFORM SERVERS 4.2
- SP009, PL001000
- SBOP BI PLATFORM SERVERS 4.3
- SP002, PL000700
- SP003, PL000000
SAP Security Note #3167342 affects the SAP Data Services software component and is therefore not covered by the above summary patch info.
The three High Priority Notes for SAP BO patch Information Disclosure vulnerabilities.
SAP Security Note #3229132, tagged with a CVSS score of 8.2, patches an Information Disclosure vulnerability. The vulnerability allows attackers to gain credential information of other users. Attackers must be authenticated for an exploit to occur. Depending on whether they were authenticated as administrator, or normal user, they can see the credentials in plain text or in encrypted form. The encrypted information is returned as part of a query result that was performed on the CMS DB.
The second High Priority Information Disclosure vulnerability is patched with SAP Security Note #3239293, tagged with a CVSS score of 7.7. The note doesn’t describe many details about the vulnerability that affects the BOE Admin Tools/ BOE SDK component but unlike note #3229132, SAP sees no impact on the system’s integrity and availability.
SAP Security Note #3213507 was initially released on SAP’s August Patch Day and updated at the end of September. As described in our August blog post, there were some inconsistencies in the CVSS rating. Based on our notification, SAP has now revised the CVSS rating for this vulnerability completely and the formerly Medium Priority Note with CVSS score 5.2 has now become a High Priority Note with a CVSS score of 8.2.
Other High Priority Notes
In addition to the three High Priority Notes for SAP BO, there are two for SAP 3D Visual Enterprise and another one for SAP SQL Anywhere/SAP IQ.
SAP Security Note #3245928 and #3245929, both tagged with a CVSS score of 7.0, patch very similar vulnerabilities in SAP 3D Visual Enterprise Viewer and SAP 3D Visual Enterprise Author. An improper memory management could result in a victim opening manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer/Author. Depending on the type of file manipulation, this could lead to arbitrary code execution or a denial of service. The two notes differ a little bit in the affected file formats. The Viewer vulnerability (#3245928) affects fewer file formats than the Author vulnerability (#3245929).
The solution section of both notes lists the fixed file formats. This suggests that fixes for some formats are still pending, but when comparing this list to the list of previously affected formats, there seems to be no file format left unpatched.
High Priority Note #3232021, tagged with a CVSS score of 8.1, patches a Buffer Overflow vulnerability in SAP SQL Anywhere and SAP IQ database servers. Unauthenticated remote attackers could generate a stack-based buffer overflow, while the server was running, with a debugging option. An exploit could lead to unauthorized reading and modifying of data as well as negatively impact the system’s availability.
Summary and Conclusion
With 23 new and updated Security Notes, including two HotNews Notes and six High Priority Notes, this Patch Day comes with more to dos for SAP customers than the previous ones. It is important to get a complete overview of all patched vulnerabilities before starting implementation of individual patches. The example of the SAP Business Objects vulnerabilities shows that with only one patch, affected customers can patch seven issues at once.
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|