Layer Seven Security ADVISORY

Similar documents
Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Attacks based on security configurations

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

Disclosure Management. Default font on styles in Disclosure Management

Disclosure Management US SEC. Preview

SAP Audit Guide for Basis

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

How to Download Software and Address Directories in SAP Service Marketplace

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

Quality Inspection Engine (QIE) Security Guide

SAP Discovery System V5 Users and Passwords

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

Moving BCM to different IP range

How to Work with Analytical Portal

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

How can a Reference Query Be used?

Crystal Reports 2008 FixPack 2.4 Known Issues and Limitations

ADM100 AS ABAP - Administration

A Sample PhoneGap Application Using SUP

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Single Sign-on For SAP NetWeaver Mobile PDA Client

Information platform services Installation Guide Information platform services 4.0 Support Package 4

Creating Application Definitions in Hana Cloud Platform Mobile Services

HA200 SAP HANA Installation & Operations SPS10

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

BW Workspaces Data Cleansing during Flat File Upload

SAP BusinessObjects Explorer API Guide SAP BusinessObjects Explorer XI 3.2 SP2

SAP Directory Content Migration Tool

Automated Java System Post-Copy Configuration Using SAP Landscape Management 3.0, Enterprise Edition

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Managing Substitutions in My Inbox 2.0 app

Passing Parameters via Web Dynpro Application

How to Enable Single Sign-On for Mobile Devices?

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

What are Specifics Concerning the Creation of New Master Data?

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

Dashboards Batch Utility User Guide

How To Configure IDoc Adapters

SAP BusinessObjects Predictive Analysis 1.0 Supported Platforms

SAP Fiori Toolkit. Marc Anderegg, RIG, SAP February, Provided by Rapid Innovation Group (RIG)

How to Find Suitable Enhancements in SAP Standard Applications

How-to guide: OS Command Adapter

Duplicate Check and Fuzzy Search for Accounts and Contacts. Configuration with SAP NetWeaver Search and Classification (TREX) in SAP CRM WebClient UI

Using Xcelsius 2008 with SAP NetWeaver BW

SAP BusinessObjects Integration Option for Microsoft SharePoint Getting Started Guide

How to Set Up Data Sources for Crystal Reports Layouts in SAP Business One, Version for SAP HANA

Exploiting new default accounts in SAP systems

SMP541. SAP Mobile Platform 3.0 Native and Hybrid Application Development COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

SAP NetWeaver Identity Management Identity Center Minimum System Requirements

TABLE DISTRIBUTION IN HANA HANA. SAP Active Global Support, June 2012

ADM920 SAP Identity Management

GRC100. GRC Principles and Harmonization COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Installing SAP NetWeaver Mobile Client (eswt) on a Storage Card

Visual Composer for SAP NetWeaver Composition Environment - Connectors

SAP Security In-Depth

Testing Your New Generated SAP NetWeaver Gateway Service

Obtain Configuration Parameters for LPD_CUST Provide the base path of your BSP application (1/2)

SAP Afaria Post- Installation Part 1

SAP BusinessObjects Dashboards 4.0 SAP Crystal Dashboard Design 2011 SAP Crystal Presentation Design 2011

Business Objects Integration Scenario 2

SAP BusinessObjects Dashboard Design Component SDK Installation Guide

Data Handling in the SAP NetWeaver System Landscape Directory Step by Step

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Manual Activities of SAP Note Globalization Services, 2012/06/05

How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Identity Provider Step-by-Step

Create and run apps on HANA Cloud in SAP River RDE

How To...Consume HANA Models with Input Parameters in BW Virtual Providers

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

SAP BusinessObjects Performance Management Deployment Tool Guide

Duet Enterprise: Tracing Reports in SAP, SCL, and SharePoint

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

AFA461 SAP Afaria 7.0 System Administration (SP03)

How-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service

Enterprise Search Extension for SAP Master Data Governance

Configuring relay server in Sybase Control Center

SAP Plant Connectivity 2.2

How to Guide to create Sample Application in IOS using SUP ODP 2.2

How to Handle the System Message in SAP NetWeaver Mobile 7.1

SAP BusinessObjects Enterprise Upgrade Guide

TBW60. BW: Operations and Performance COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

SAP ME Build Tool 6.1

SAP Sybase Replication Server Change DATA Capture Configuration. Example Configuration

Transcription:

Layer Seven Security ADVISORY SAP Security Notes October 2015

SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes appeared to have been hastily released in response to an event that SAP described as an irresponsible disclosure by a security researcher. In other words, the researcher did not follow standard disclosure practices that forewarn the SAP Product Security Response Team for newly discovered security vulnerabilities and provide sufficient time to develop, test and release appropriate security fixes before public disclosures. SDM is used to transfer installation and other files from the SAP Support Portal. Customers are strongly advised to implement version number 2.1.142 of SDM to remove a dangerous flaw that exposes the application to manin-the-middle, directory traversal and other attacks. SAP Security Notes October 2015 There were also several important Notes released for serious vulnerabilities impacting SAP HANA. Given the strategic importance of HANA for SAP, many of these vulnerabilities received a great deal of press attention. The most critical vulnerability was a remote code execution flaw addressed by Note 2197428. Customers should limit network access to the SQL and XS ports to prevent connections from unknown sources. Notes 2197459 and 2216869 deal with vulnerabilities that could impact the integrity of HANA logs and allow brute-force attacks against the SYSTEM user. Patches are bundled in the relevant Support Packages referenced in the Notes. The patches include two new parameters to support password locks for the SYSTEM user and prevent the disclosure of detailed information for failed logon attempts

SAP Security Notes by Vulnerability Type Note 2203591 provides recommendations for securing the RFC connection between TREX or BWA installations and BW systems. This connection could be abused to execute OS commands on TRX/ BWA hosts. The solution requires maintaining entries in the access control list of the reginfo file on the T R X / B W A h o s t. T h i s w i l l r e s t r i c t communication for the registered program of the TRX/ BWA host to internal and local scenarios only. Finally, 2149706 removes an information disclosure in the System Landscape Directory (SLD) of Java Application Servers. The vulnerability could be exploited to disclose host names and SAP System IDs (SIDs) through the user interface of the SLD. This information is often required to perform targeted attacks against SAP systems.

Appendix: SAP Security Notes, October 2015 PRIORITY NOTE AREA DESCRIPTION HOT NEWS 2235412 HOT NEWS 2233617 Security Vulnerabilities in SAP Download Manager Security Vulnerabilities in SAP Download Manager HOT NEWS 2197428 HAN-DB Potential remote code execution in HANA HIGH 2179615 CA-VE-VEV Potential remote code execution in SAP 3D Visual Enterprise Author, Generator and Viewer HIGH 2194730 BC-SRV-MCM Multiple vulnerabilities in SAP Mobile Document Android Client HIGH 2195595 BC-BSP Multiple security vulnerabilities in SAP NetWeaver BSP Logon HIGH 2197459 HAN-DB Potential log injection vulnerability in SAP HANA audit log HIGH 2203591 BC-TRX TREX/BWA installation can be attacked via RFC-Gateway HIGH 1983443 FI-AP-AP-B1 Missing authorization check in FI-AP-AP-B1 HIGH 2149706 BC-CCM-SLD Potential information disclosure relating to NW AS Java HIGH 2159481 SD-SLS-GF Missing authorization check in Sales Order Monitor (VA06) HIGH 2219924 FI-AP-AP-B1 Missing authorization check in FI-AP-AP-B1 HIGH 2216869 HAN-DB-SEC Security improvement of HANA authentication HIGH 2215605 FI-AP-AP-B1 Missing authorization check in FI-AP-AP-B1 MEDIUM 1937165 FI-BL-PT-US Directory traversal in FI-BL-PT-US / FI-BL-PT-PR MEDIUM 2053788 BC-MOB-MI-SER Missing authorization check in RFC enabled function module - BC-MOB-MI-SER MEDIUM 2193214 BC-MID-ICF Potential false redirection of Web site content in SAP Internet Communication Framework MEDIUM 2189853 BC-MID-ICF SAP Internet Communication Framework fails to validate HTTP_WHITELIST MEDIUM 1957910 BC-CCM-FIL Directory traversal in BC-CCM-FIL MEDIUM 2103389 BC-VMC Missing authorization check in BC-VMC MEDIUM 2164133 BC-FES-IGS Potential remote termination and denial of service in IGS MEDIUM 2226028 MOB-SDK-SEC Potential information disclosure relating to ios mobile applications MEDIUM 2223028 FI-GL-GL-G Missing authorization check in FI-GL-GL-G MEDIUM 2170806 MOB-SDK-ODP DataVault password retry count resets incorrectly MEDIUM 2074276 XX-SER-SAPSMP- SDM XX-SER-SAPSMP- SDM XX-SER-SAPSMP- SDM Potential information disclosure relating to user logon data that is used in SAP Download Manager MEDIUM 2193389 BC-CCM-BTC Potential modif./disclosure of persisted data in SAP Batch Processing MEDIUM 2029397 CRM-ISA-R3 Missing authorization checks for RFC in E-commerce ERP applications MEDIUM 2061129 FIN-FSCM-DM Missing whitelist check in SAP Dispute Management

Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road Oakville, Ontario L6H 0C3, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 0993

Copyright Layer Seven Security 2015 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback