Layer Seven Security ADVISORY

Transcription

1 Layer Seven Security ADVISORY SAP Security Notes May 01

2 There are two startling facts about SAP Security Notes released in May. The first is the sheer number of Notes issued by SAP, 57 to be exact. In comparison, March and April had just 46 and 33, respectively. The second is that almost 90 percent of the Notes were designed to provide greater protection for SAP systems against crosssite scripting attacks (XSS). There are several forms of XSS including stored, targeted at servers, and reflected, usually targeted at the client browser. The SAP patches released in May deal with both types of vulnerabilities. XSS is the most prevalent Web application security flaw and the most popular attack vector used by hackers. It works through the injection of malicious scripts into input fields used by Web applications. Encryption provides no defense against XSS. It merely encrypts the attack. XSS can be combated through a combination of code reviews (most XSS flaws can be detected by a trained eye) and input/ output validation. For the latter, refer to the OWASP XSS Prevention Guide at Vulnerability scanners such as those used by SAPSCAN greatly help with the detection of known XSS flaws in SAP systems. You can learn more about SAPSCAN at sapscan.html. SAP components are especially vulnerable to XSS since many rely upon Web-based (HTTP) communication. This includes SAP Business Suite software such as CRM and SRM and areas of the NetWeaver technology platform including the Enterprise Portal. Successful attacks can bypass SAP access controls and compromise the underlying data in such systems. SAP Security Notes May 01 Before installing the May patches, SAP customers should install the new encoding library introduced in Note (refer to Notes and ). Customers should also update Business Server Pages (BSP) (Notes , and

3 SAP Security Notes by Vulnerability Type ) and the Internet Transaction Server (ITS) (Notes and ). For more detailed instructions, follow the SAP checklist available at the SAP Marketplace. SAP also introduced a critical patch for certain Kernel functions in the month of May. The Kernel lies at the core of SAP systems and contains executable (.exe) files that support the so-called runtime environment. The Kernel is an abstraction layer between SAP systems and the underlying operating system and database layers. It supports the interoperability of SAP systems by enabling SAP to work with almost any enterprise-level OS and DB. Security Note patches a high-risk vulnerability effecting Transport Tools (BC- CTS-TLS) in the Kernel. Transport Tools includes utilities used to control releases and transfer data between SAP systems. This includes programs such as tp and R3trans that are called upon by the Change and Transport System (CTS) and Transport Management System (TMS). Missing authorization checks in this part of the Kernel could enable some users to access sensitive functions through the escalation of privileges.

4 Appendix: SAP Security Notes, May BC-CTS-TLS Missing authorization check in KERNEL BC-JAS-SEC Update 1 to security note BC-JAS-SEC-UME Update 1 to Security Note BC-BSP Update 1 to security note CRM-BF-TM Unauthorized modification of displayed content in CRM-BF-TM CRM-IC-ADR Unauthorized modificat. of displ. content in CRM-IC-ADR XAP-MBA-DSD Unauthorized modification of displayed content in MDSD Admin IS-M Unauthorized modification in ITS-Services in IS-M IS-M Unauthorized modification in BSP applications in IS-M CRM-IC-FRW Unauthorized modification of displayed content in IC_BASE PP-MES Unauthorized modification in SICF-services in PP-MES PPM-PRO Unauthorized modification of displayed content in PPM-PRO CA-GTF-SP-GEN Unauthorized modification in CA-GTF-SP-GEN SLC-REG Unauthorized use of application functions in SLC-REG CRM-IPS-BTX Unauthoried modification in BSP application in CRM-ISP-BTX CRM-MKT-SEG-IEX Unauthorized modification of displayed content in CRM_MKTIME SRM-SUS Unauthorized modification of displayed content in SRM-SUS SRM-EBP-BID Unauthorized modification of displayed content in SRM-EBP CRM-BF-CFG Unauthorized modification of displayed content in IPC UI CRM-IFS Unauthorized modification of displayed content in CRM-IFS EP-PCT-PUR-BP Unauthorized modification in BSP applicat. of EP-PCT-PUR-BP SRM-EBP-CA-ATT Malicious modification of SRM attachment url CRM-MD-PRO-OBJ Unauthorized modification of BSP in CRM-MD-PRO-OBJ

5 Appendix: SAP Security Notes, May CRM-IC-OBJ Unauthorized modification of BSP in CRM-IC-OBJ CRM-MD-PRO Unauthorized modification of BSP in CRM-MD-PRO IS-A-DP-VMS Unauthorized modification of BSP in Webdocuments IS-A-DP-SPP Unauthorized modification of BSP in Webdocuments IS-A-DP-WTY Unauthorized modification of BSP in Webdocuments FS-CD Unauthorized change of contents displayed in agency collctns CRM-BTX-PRV-DUI Unauthorized modificat. of displ. content in CRM-BTX-PRV-DUI EP-PCT-MGR-CO Unauthorized modification in BSP appl. in EP-PCT-MGR-CO CO-OM Unauthorized modification in BSP application in CO-OM EP-PCT-SD-S XSS: Source code commented out incorrectly on BSP pages SRM-EBP-CAT Unauthorized modification of displayed content in SRM-EBP PA-ER Unauthorized modification of stored content in E-Recruiting PLM-PPM-PDN Unauthorized modification of displayed content inplm-ppm-pdn CRM-IC-EMS Unauthorized modification in BSP application in CRM-IC-EMS SRM-ROS ROS: Unauthorized modification in BSP application CRM-MKT-MPL-CA Unauthorized modification in BSP application CRM-MKT-MPL-CA CRM-BF-SVY Unauthorized modification in BSP application in CRM-BF-SVY CRM-CHM Unauthorized modification of displayed content in CRM-CHM CRM-BTX-ACT Unauthorized modification in CRM Activity FIN-SEM-CPM-BSC Unauthorized modification in BSP application in FIN-SEM-CPM CRM-BF-BRF-RM Unauthorized modification in CRM Rule builder(crm-bf-brf-rm) CA-DMS Unauthorized modification of BSP in Webdocuments () CRM-IPS-ICM-ACT Unauthorized modification of displayed content in ICM IS-U-WA Unauthorized modification in ITS-Service in IS-U-WA PP-KAB Unauthorized modification in ITS-Service in KANBAN SCM-APO-CA-COP Unauthorized modification in ITS-Service in SCM-APO-CA-COP PA-ER Unauthorized use of application functions in HRRCF_START_EXT PPM-PRO Unauthorized modificatn of displayed content in PPM-PRO (1)

6 Appendix: SAP Security Notes, May BW-BCT-ISR-AA Unauthorized modif. of stored content in RSBCT_RFASH_ALI PLM-CFO Unauthorized modification of displayed content in PLM-CFO(9) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(8) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(7) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(6) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(5) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(4) PLM-CFO Unauthorized modification of displayed content in PLM-CFO(3) PLM-CFO Unauthorized modification of displayed content in PLM-CFO() BC-FES-ITS Unauthorized modification of displayed content in ITS CRM-BF-WST Unauthorized modification of content in WS_DESIGN_TOOL CRM-MD-BP-CCP Unauthorized modification of the content in CRM-MD-BP-CCP CRM-MKT-SEG-TGR Unauthorized modification of displayed content in CRM_MKT CA-GTF-PCF Unauthorized modification of displayed content in CA-GTF-PCF CRM-IT Unauthorized modification of stored content in CRM_IT_DEALER CRM-BTX-BF Unauthorized modification in CRM Business Transactions CRM-IC-FRW Unauth. mod. of displayed content in Interaction Center Frw IS-U-CS Unauthorized modification of stored content in IS-UT CRM-IC-SCR Unauthorized modification of displayed content in CRM-IC-SCR CRM-BF-ML Unauthorized modification of displayed content in CRM CRM-BF Unauthorized modification of displayed content in CRM_BSP CRM-MKT Unauthorized modification of displayed content in CRM-MKT SCM-BAS-UIF Unauthorized modification of displayed content in ICH BC-CCM-MON-SLG Directory Traversal in SAP System Log CRM-IC-ABO Unauthorized modification of displayed content in CCMP_RABOX BW-PLA-BPS-WIB Unauthorized execution of application funcs. in BW-PLA-BPS PLM-CFO Unauthorized modification of displayed content in PLM-CFO( PLM-CFO Unauthorized modification of displayed content in PLM-CFO(13

7 Appendix: SAP Security Notes, May PLM-CFO Unauthorized modification of displayed content in PLM-CFO( PLM-CFO Unauthorized modification of displayed content in PLM-CFO( PLM-CFO Unauthorized modification of displayed content in PLM-CFO( BW-BCT-CRM Unauthorized modification in BSP applications in BW-BCT-CRM PPM-PRO Unauthorized modification of displayed content in PPM PE-LSO-LPO Unauthorized modification in BSP application in PE-LSO-LPO CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR PA-EC-JP Unauth. modification of displayed content in Job Pricing PA-EC-BD Unauth. modification of displayed content in Budgeting SLC-SUP Unauthorized modification of displayed content in SLC-SUP CRM-CIC-CAM Unauthorized modification of content in CRM-CLM applications PPM-PFM Unauthorized modification on document url in PPM CRM-CIC Unauthorized modification of content in CRM-CIC applications PA-PD-PM Unauthorized modification of stored content in PA-PD-PM XX-PROJ-FI-CA Unauthorized modification of BSP in FI-CA CRM-MKT-MPL-CA- BRE Unauthorized modification in CRM-MKT-MPL-CA-BRE CRM-BTX-GWI Unauthorized modification of stored content in CRM-BTX-GWI EPM-BFC-TCL Potential remote code execution in Financial Consolidation CRM-MKT-MPL-CA- MOD Unauthorized modification in CRM-MKT-MPL-CA-MOD CRM-MKT-MPL-CA- BRE Unauthorized modification in component CRM-MKT-MPL-CA-BRE CRM-ANA-SRV-BW Unauthorized modification of disp. content in CRM-ANA-SRV-BW EP-PCT-MAN-M Unauthorized modification in BSP application in PlantManager CRM-IC-ABO Unauthorized modification of content in CRM_CIC_RABOX BC-BSP Unauthorized modification of displayed content in BSP BW-BCT-EPM Unauthorized modification of stored content in BI_CONT BW-BCT-PSM Unauthorized modification of displayed content in BW-BCT-PSM

8 Appendix: SAP Security Notes, May FIN-SEM-CPM Unauthorized modification of displayed content in FIN-SEMCPM FS-BA-TO-ME code injection vulnerability in module editor CA-SUR Unauthorized modification of displ content in Web Request BC-SEC-SSF Unauthorized modification of displayed content in BSP apps PA-EC-BD Unauthorized modification displayed content ECM_BSP_LIBRAY CRM-BTX-ACT Unauthorized modification of displayed content in Calendar BC-ABA-SC Potential denial of service in DIAG Processor CA-GTF-IC-BRO Unauthorized modification in BSP in CA-GTF-IC-BRO BW-BEX-ET-WEB Directory traversal with unauthorized modification in BW FI-FM Missing authorization check in FI-FM CRM-ISE-SRE Unauthorized mod. of displayed content in Web.Req. toolbox CRM-ISE-WBF Unauthorized mod. of displayed content in UAD_xx BC-DWB-WD-ABA Unauthorized modification of displayed content in Web Dynpro PA-PA-JP Unauthorized modification in ITS-Service PA-PA-KR Unauthorized Modification in ITS-Service in PA-PA-KR BC-FES-GUI Generic low level functionality in SAP GUI CRM-BTX-ERP Unauthorized modification of content in configuration CRM-BTX-BF-ATP Unauthorized modification of content in gatp pop-up BC-WD-JAV Unauthorized Modification of Displayed Content in Web Dynpro EP-PDK-HBJ Unauthorized Modification of Displayed Content in HTMLB CRM-BF-WFI Unauthorized modification in SICF-service in CRM-BF-WFI CRM-BTX-ERP Unauthorized modification of content in ERP print preview CRM-BF-ACI Unauthorized modification of content in order print preview SLL-LEG-CUS Cross-Site-Scripting (XSS) in GTS Dashboard possible CRM-BF-COM Unauthorized modification of displayed content in CRM CM CA-GTF-PCF Unauthorized modification of stored content in CA-GTF-PCF PLM-CFO Unauthorized modification of displayed content in PLM-CFO(1) BW-BEX-ET Unauthorized modification of displayed content in BW-BEX-ET

9 Appendix: SAP Security Notes, May SRM-SUS Unauthorized modification in BSP application/sicf Service FI-TV-PL Unauthorized modification of displayed content in FI-TV-PL CRM-BF-COM Unauthorized modification of displayed content in CRM CM CRM-MKT-DAM Unauthorized modification of BSP in CRM-MKT-DAM CRM-BF-COM Unauthorized modification of displayed content in CRM CM CRM-BF-ML Unauthorized modification of displayed content in CRM IS-M-AMC Cross site scripting vulnerability in BSP pages for AMC BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM SRM-EBP-CON Unauthorized modification of stored content in SRM-EBP-CON PA-PA-CN Security: XSS vulnerability in SAP GUI for HTML CRM-ISE-WBF Unauthorized mod. of displayed content in CRM-ISE-WBF CRM-BF-ML Unauthorized modification of displayed content in CRM CRM-BF-ML Unauthorized modification of displayed content in CRM CA-EPT-ANL-LST URL in Launchpad-Navigation can be malformed BC-SRV-SSF Unauth. modification of displayed content in BC-SRV-SSF BC-SRV-GBT-ALM Unauthorized modif. of displayed content in BC-SRV-GBT-ALM CRM-ANA-PS Unauthorized modification of displayed content in BW-CRM BC-SRV-KPR-RET Unauthorized modification of displayed content in BC-SRV-KPR BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI BC-DOC-TER Potential loss of integrity in web app Terminology Tools PA-PD-PM Unauthorized modification of stored content in PA-PD-PM BC-BSP Unauthorized modification of displayed content in BSP SCM-EWM-RF Unauthorized use of application functions in SCM-EWM-RF BW-BEX-OT-MDX MDX: SOAP / XMLA interface and Document Type Definitions BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI BC-MID-ICF Unauth. modification of displayed content in ICF Recorder IS-CC Potential modification of persisted data in SAP CC

10 Appendix: SAP Security Notes, May EP-PCT-PUR-BP Buyer: Sec. note for cross-site scripting & BSP applications BC-DB-SDB Potential info. disclosure and code execution in sapdbctrl CA-GTF-TS-WSI Unauthorized modification of stored content in CA-GTF-TS-WSI BC-WD-ABA Unauthorized modification of displayed content in WebDynpro FS-CD Unauthorized modification of displayed content agency coll BC-BSP XSS vulnerability in BSP system BC-WD-UR Unauthorized modification of displayed content in UR CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR BC-BSP Unauthorized modification of displayed content in BSP pages CA-WUI-UI-TAG Unauthorized modification of stored content in WEBCUIF CRM-ISA Potential runtime problems after manipulation of isa_relogin BC-SRV-ARL Unauthorized modification of stored content in BC-SRV-ARL EP-PIN Portal XSS Encoding Library - StringUtils BI-BIP-CMC Unauthorized modification of displayed content in BOE BC-ESI-WS-ABA- CFG Unauthorized modification of displayed content in UDDIClient PLM-CFO Update # to Security Notes PLM-CFO Update # to Security Notes BI-BIP-OP Potential denial of service in BusinessObjects Enterprise CRM-IC-CAM Unauthorized modification in BSP in CRM-IC-CAM FI-AP Obsolete ITS services in FI-AR/AP BW-BCT-PLA-RAP Unauthorized modification of displayed content in BW-BCT-PLA SRM-EBP-CA-ATT Malicious modification of displayed SRM attachments SLC-SUP SLC: Unauthorized modification in BSP application SRM-EBP-BID Unauthorizd modification in ITS services SRM-EBP-TEC-ITS Unauthorized modification in ITS-Services in SRM CA-WUI-APF Unauthorized modification of content in transaction launcher IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC CRM-ISE-WBF Unauthorized mod. of displayed content in BSP CRM_PS_SOA

11 Appendix: SAP Security Notes, May CO-OM Unauthorized modification in ITS-Services of ISR SRM-EBP-PRC Unauthorized modification in ITS-Service in SRM-EBP-PRC SRM-CMT Unauthorized modification in ITS-Service in SRM-EBP-CAT IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM SRM-EBP-VE Unauthorized modification of displayed content in VE IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC FI-AA Obsolete ITS services in FI-AA SRM-EBP-INV Unauthorized modification of ITS in SRM-EBP-INV PLM-PPM-PDN Unauthorized modification of displayed content PLM-PPM-PDN SRM-EBP-APM Unauthorized modification of displayed content in APM CRM-IC-EMS-RUL Unauthorized modification in BSP app in CRM-IC-EMS-RUL PS-CLM Unauthorized modification in ITS-Service in PS-CLM FIN-CGV-MIC Migration to new XSS-Library PS-CON Unauthorized modification in ITS-Service in PS FIN-SEM-CPM Unauthorized modification of displayed content in SEM-CPM SRM-EBP-CAT Unauthorized modification in ITS-Services in BBP EP-PIN-RTC Missing authorization check in RTC BC-WD-CMP-FPM Missing authorization check in BC-WD-CMP-FPM SRM-LA Unauthorized modification of displayed content in SRM-LA CRM-IC-FRW Unauthorized modification in BSP in CRM-IC CRM-IC-SCR Unauthorized modification in BSP in CRM-IC-SCR SRM-EBP-CGS BBP_PM01 ITS service vulnerable to XSS attack FI-AA Unauthorized modificatn of displayed content FI-AA (EA-APPL) CRM-ANA-MKT-CLV Unauthorized modification in BSP appl. in CRM-ANA-MKT-CLV CA-DMS Unauthorized modification of BSP in Webdocuments CRM-ANA Unauthorized modification of BSP in CRM-ANA SRM-EBP-PD Unauthorized modification of displayed content in SRM

12 Appendix: SAP Security Notes, May PPM-PFM Unauthorized modification of displayed content in PPM-PFM IS-A-SWP Unauthorized modification in ITS-Services in SWP CRM-IC-FCA Unauthorized modification of BSP in CRM-IC-FCA SRM-EBP-WFL Unauthorized modificat. of displayed content in SRM-EBP-WFL FIN-BA Unauthorized modification of displayed content in FIN-BA CRM-MD-BP-CCP Unauthorized modification of BSP in CRM-MD-BP-CCP SRM-EBP-PRO Unauthorized modification of stored content in SRM-EBP-PRO SRM-EBP-CA-SIG Unauthorized modification of BSP in SRM-EBP-CA-SIG CRM-IPS-BTX-APL Unauthorized modification of BSPs in CRM Grantor Management QM Unauthorized modification of ITS in QM FIN-FSCM-BD Unauthorized modification of displayed content in FSCM BD CRM-IU Unauthorized change of displayed content in CRM-IU IS-A-SWP Unauthorized modification in ITS-Services in SWP IS-OIL-DS-SSR Unauthorized modification in ITS-Service in IS-OIL-DS-SSR IS-ADEC-BOQ Unauthorized modification in ITS-Service in IS-ADEC-BOQ SRM-SUS SUS: Unauthorized modification in BSP application SRMSUS PA-PA-SG Security: XSS vulnerability in SAP GUI for HTML PPM-PRO Unauthorized modification of displayed content in PPM-PRO PA-PA-AU Security: XSS vulnerability in SAP GUI for HTML CRM-ANA-BOJ-UI Unauthorized modification of BSP in CRM-ANA-BOJ-UI CRM-MKT-ML Unauthorized modification of BSP in CRM-MKT-ML CRM-MKT-MPL Unauthorized modification of BSP in CRM-MKT-MPL CRM-MKT-MPL-TPM- TPO Unauthorized modification of displayed content in TPO CRM-MD-BP-PCU Unauthorized modification of BSP in CRM-MD-BP-PCU PA-PA-IN Security: XSS vulnerability in SAP GUI for HTML BC-SRV-BTF Unauthorized modification of displayed content in BTF-Editor CRM-IPS-ICM-CMG Unauthorized modification of displayed content in ICM CRM-MKT-MPL-CAL Unauthorized modification of display content in MKT Calendar

13 Appendix: SAP Security Notes, May SRM-EBP-ADM-USR Unauthorized modification of ITS in SRM-EBP-ADM-USR IS-HER-CM Unauthorized modification of ITS in IS-HER-CM BW-WHM Update 1 to security note PLM-CFO Update 1 to security note EPM-SA Missing Authorization check in OPMFND PP-MES Missing authorization check in PP-MES SV-SMG-SDD Code injection vulnerability in SV-SMG-SDD CRM-MW-MBX HTTP verb tampering issue in Java MapBox PE-LSO-LPO Security fix for BSP application HCM_LEARNING BC-JAS-ADM-ADM Missing authorization check in NWA BC-BMT-BRM-ENG Explicit Scope Declaration issues in BRMS-CORE

14 Layer Seven Security Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems. Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX. The company is privately owned and headquartered in Toronto, Canada. Address Westbury Corporate Centre Suite Upper Middle Road Oakville, Ontario L6H 0C3, Canada Web Telephone

15 Copyright Layer Seven Security 01 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.