SAP Security Notes January 2017: Continued Security Focus on SAP for Defense

So, 2017 begins… and the first Patch Day has arrived. Today, SAP published its first Security Notes post of the year, making a total of 24 notes (21 published today) since the last Security Notes Tuesday in December. The amount of security corrections for each month starts consistent with last year (keeping the average of 25 SAP Security Notes per month). Today SAP published, for the second month in a row, SAP Security Notes for SAP ERP Defense Forces and Public Security. Along with our Research Labs analysis, SAP is working on several security improvements for these solutions that are used by many large organizations around the world.

The following graph shows that this month’s release notes are more critical compared to last month despite having less priority (see the box) on average:

boxplot_january_2017.png

Before December 2016, there were just three total SAP Security Notes related to SAP Mobile Defense & Security and Defense Forces and Public Security solutions. In the last two months, Onapsis has helped SAP to mitigate several Missing Authority Check bugs in these platforms, resulting in six new notes publications: half of them in the last month of 2016 and these new ones just published in today’s SAP Notes Patch Day:

  • Missing Authorization check in SAP ERP Defence Forces and Public Security (2376524). CVSS v3 Base Score: 5.4 / 10.
  • Missing Authorization check in SAP ERP Defence Forces and Public Security (2378417). CVSS v3 Base Score: 5.0 / 10.
  • Missing Authorization check in SAP ERP Defence Forces and Public Security (2378448). CVSS v3 Base Score: 4.3 / 10.

Missing Authority Check is one of the most common vulnerabilities in SAP Platforms (see BIZEC most common security defects in SAP ABAP Apps). Not performing necessary authorization checks for an authenticated user, could result in escalation of privileges. Taking into account the type of organizations that use these solutions (military and public security forces industry), it is highly important to keep these notes installed and software updated.

High Priority SAP Notes

SAP started 2017 with a Hot News note. This is the most critical value for a vulnerability. There were just nine Hot News Notes in 2016 (3 of them found and reported by our Research Labs). Also, these Hot News notes were reported later in the year, whereas this year the first one is in January:

  • Multiple buffer overflows in Sybase Software Asset Management (2407862): SySAM 2.3 and earlier versions includes Flexera Flexnet Publisher software that is vulnerable (CVE-2015-8277) to buffer overflows, that can lead to high impact attacks that affects confidentiality, integrity and availability. Installing the patch will upgrade to SySAM 2.4 that upgrades vulnerable software to its fixed version.
    CVSS v3 Base Score: 9.8 / 10
  • Denial of service (DoS) in SAP Single Sign On (2389042): Denial of service vulnerabilities are always relevant, since it could lead to serious availability problems. This is not the exception so companies that are using SAP Single Sign On should install this note to prevent an attack exploiting this bug.
    CVSS v3 Base Score: 7.5 / 10
  • Potential Directory Traversal (1699041): Some programs contain a vulnerability through which a malicious user can potentially write and delete arbitrary files on the remote server possibly corrupting data or altering system behavior. This note has manual instructions so cannot be automatically implemented, you need to perform manual steps in order to ensure protection.
    CVSS Base Score: not published.

This month our researchers Sergio Abraham, Julián Rapisardi and myself were acknowledged on the SAP Webpage and are already in the process of updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow you to check whether your systems are up to date with these latest SAP Security Notes, and will ensure that those SAP systems are configured with the appropriate level of security to meet your audit and compliance requirements.

Combining 2016’s first ever DHS CERT-Alert on SAP Enterprise Application Security along with 2017 starting with critical vulnerabilities targeting military and defense products as well as the first Hot News Note of the year, we expect the continued maturity of the SAP security market to be demonstrated in these monthly updates throughout the year. Stay tuned for continued coverage and analysis from the Onapsis Research Labs.