Layer Seven Security ADVISORY

Transcription

1 Layer Seven Security ADVISORY SAP Security Notes June 01

2 After the turbulence in May, normal business seems to have been resumed at Waldorf. SAP released just 6 Security Notes in June. Furthermore, there was only one critical security patch stamped with SAP s highest possible priority rating. This relates to a missing authorization check in the Marketing Calendar of CRM, SAP s flagship solution for marketing, sales and customer service management. SAP has disclosed very few specifics on the vulnerability but the risk is likely to be high given the priority level and the fact that the Calendar is used to create and manage promotions and campaigns and integrates directly with other systems within an SAP landscape through RFC connections. This includes ERP and Business Warehouse. For more information, refer to Note Security flaws also plagued the IPC Server that supports SAP s CRM Mobile Sales application. Note 1675 addresses a hard-coded username and password combination in the program s source code. This backdoor can be exploited to gain unauthorized access to CRM. An attacker can specify these credentials to authenticate against the IPC server and access Mobile Sales without being assigned a legitimate account. Authorized users could use these credentials to escalate their privileges. SAP Security Notes June 01 Other Notes released by SAP in June are designed to fix directory traversal and information disclosure vulnerabilities in Mobile Sales ( and ). Directory traversal (also known as path traversal) exploits weak programming code to access commands, files, data and other resources outside the normal server directory. Note patches a directory traversal vulnerability in the Treasury Confirmation component of the SAP Public Sector Management (PSM) application. The vulnerability could be exploited to, among other things, disclose confidential information and corrupt data.

3 SAP Security Notes by Vulnerability Type Information disclosure occurs when a system leaks information through a query response or logging function that could be used by an attacker to identify vulnerabilities and build a targeted attack. The type of information disclosed can relate to host names, operating system versions, databases and installed applications. Note patches an information disclosure vulnerability in the server for SAP s Intercompany application, part of the BusinessObjects suite. This program is used to reconcile intercompany balances in real time through the Web. Without the patch, attackers are able to obtain information such as file system paths through the Intercompany web client. The Intercompany program also suffers from a missing authorization check (Note ), as does Financial Consolidation (Note ), another BusinessObjects application. Since these applications drive financial close and reporting activities in many SAP clients, customers are advised to immediately patch their systems if they have not already done so.

4 Appendix: SAP Security Notes, June 01 PRIORITY NOTE AREA DESCRIPTION CRM-MKT-MPL-CAL Missing authorization check in CRM-MKT-MPL-CAL BC-SEC Update 1 to security note CA-GTF-DOB Unauthorized modification of displayed content in CA-GTF-DOB CRM-IPS-BTX Unauthoried modification in BSP application in CRM-ISP-BTX GRC-SAC-EAM Missing authorization check in VIRSA and VIRSANH EPM-SA Unauthorized modification of displayed content in OPMFND XX-PART-ISHMED Missing authorization check in patient register BC-JAS-SEC Missing authorization check in remote security EPM-IC-GEN-ADM Unauthorized use of application functions in Intercompany EIM-DS Potential denial of service in SBOP Data Services IS-R-BD-PCT-OUT Unauthorized modification in ITS-Service WEB_PRICAT BW-BCT-PSM Potential disclosure of persisted data in BW-BCT-PSM SV-SMG-CDM Missing Authorization Check in CDMC BC-BSP Unauthorized modification of displayed content in BSP pages FS-BA-TO-ME code injection vulnerability in module editor for BA CRM-RPL-SRV Unauthorized modification in BSP application in CRM-RPL-SRV 1675 CRM-IPC Prevent Backdoors in SAP CRM Mobile Sales (IPC Server) CRM-BF-CFG Directory traversal in SAP CRM Mobile Sales (IPC Server) CA-DMS Unauthorized modification of ITS in DMS CRM-ISA Missing virus scan in CRM-ISA during data import FI-GL-GL-G Missing authorization check in FI-SL, FI-GL SCM-EWM-RF Unauthorized modification in ITS-Service in SCMEWM BC-JAS-SEC-UME Wrong setup of security policy profile when creating a user BC-ESI-SIW Missing authorization check in SIW CA-BK Missing authorization check in CA-BK (Bank) SRM-EBP-CA-UI Unauthorized modification of SICF handler in SRM-EBP-CA-UI BC-CCM-MON-ORA DBACockpit: Authorization check for SQL Command Editor

5 Appendix: SAP Security Notes, June 01 PRIORITY NOTE AREA DESCRIPTION CRM-BF-CFG Unauthorized modification of displayed content in IPC UI CRM-BF-CFG Potential information disclosure relating to Mobile Sales CA-GTF-DOB Unauthorized modification of displayed content in CA-GTF-DOB LO-AB-BSP Complaints processing: Deactivate obsolete BSP applications EP-PIN-PRT Directory traversal in Browse Deployment PSM-FG-TC Directory Traversal in Treasury Confirmation FS-CM-CB Missing authorization check in claim bundle/benefits catalog PPM-PRO Unauthorized modification of displayed content in PPM-PRO EPM-IC-GEN Unautorized access to Intercompany EPM-IC-GEN Potential information disclosure relating to INTERCOMPANY IS-A-DP Unauthorized use of application functions in Dealer portal PP-BD-RTG Missing authorization check in PP-BD-RTG IS-A-JIT Missing authorization check in JIT BC-XI-CON-SOP Untrusted XML input parsing possible in XI 1604 XAP-IC-IDM Hard-coded credentials in Codename: Edison EPM-IC-GEN Missing authorization check in Intercompany BW-BCT-PLA-MCB Unauthorized use of application functions in BW-BCT-PLA-MCB EPM-BFC-TCL Missing authorization check in Financial Consolidation BC-SEC Update 1 to security note BC-XI-IS-WKB Update #1 to Security Note SV-SMG-SDD Update 1 to security note BC-CTS-CCO Update to security note LOD-ESO-AS Potential information disclosure relating to queries LOD-ESO-AS Missing Authorization check in LOD-ESO-AS LOD-ESO-AS Missing authorization check in LOD-ESO-AS LOD-ESO-AS Potential information disclosure relating to Auction Monitor LOD-ESO-AS Potential denial of service in LOD-ESO-AS XAP-IC-IDM HTTP verb tampering issue in Codename: Edison

6 Appendix: SAP Security Notes, June 01 PRIORITY NOTE AREA DESCRIPTION LOD-ESO-AS Potential information disclosure relating to usernames BC-JAS-SEC-LGN Assertion ticket is not evaluated correctly LOD-ESO-AS Unauthorized use web application sessions in LOD-ESO-AS SLL-LEG-FUN Missing authorization check in SLL-LEG-FUN 1694 LOD-ESO-AS Missing cross tenant authorization check in LOD-ESO-AS 1690 LOD-ESO-AS Missing authorization check in LOD-ESO-AS 1660 LOD-ESO-AS Potential information disclosure relating to cached process

7 Layer Seven Security Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems. Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX. The company is privately owned and headquartered in Toronto, Canada. Address Westbury Corporate Centre Suite Upper Middle Road Oakville, Ontario L6H 0C, Canada Web Telephone

8 Copyright Layer Seven Security 01 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.