SAP Security Notes April ‘18: Testing Assumptions

Today’s SAP Security Patch Day showed a moderate number of Security Notes being released compared to SAP’s regular second Tuesday of the month. 12 notes were published today, adding to a total of 16 notes released since last month’s Patch Day.

We see the appearance of the first Hot News note of the year for 2018. Four High Priority notes were released; two of which concern a vulnerability originally found by Onapsis. In fact, these notes contain updates to the originally released patch after Onapsis tested it and found it to be insufficient. It goes to show that we should never simply trust our assumptions.

The graphic below shows this month’s distribution of vulnerability types:

Reported by Onapsis – Update: Code Injection Vulnerability in Visual Composer
In our August blogpost last year we discussed a vulnerability found by Onapsis in the Visual Composer. The bug was published as a High Priority note (#2376081) with a CVSS score of 7.4. The security flaw allowed attackers to inject malicious code into the back-end application by sending a specially crafted HTTP GET-request to the Visual Composer. By simply having end users access the specially crafted URL, unwanted applications could potentially be started on the client machine by an attacker: remote code execution.

After sending the injected code, the server returned an .xlsx file (Excel) with the malicious code embedded as a formula in one of its cells. OWASP discusses the injection of code in spreadsheet cells in their page on CSV Injection. By interchanging the acronym CSV for XLSX on the OWASP page it can also be read in light of this vulnerability. The page describes which characters should be sanitized on the server side to remediate the risk. In the aforementioned SAP Security Note we read a solution: “In the export to Excel mechanism, the entire input stream received from Visual Composer is now being checked for [a] Code Injection vulnerability.”

After the patch was released by SAP, Onapsis researchers Nicolás Raus and Pablo Artuso discovered it was still possible to exploit the vulnerability. The published patch was based on an attacker sending a GET-request with query parameters. The patch could be bypassed however, by instead sending a POST-request with a body containing the code to be injected into the returned XLSX file.

SAP has re-released the original note with a reference to a newly published note (#2552318) which fixes the found bypass. Our researchers are in the process of validating whether the patch sufficiently mitigates the security flaw this time. Again, we advise evaluation of this note to ensure your employees, clients and/or partners don’t become a victim.

Hot News and High Priority
The Hot News note published this month (#2622660) bundles multiple vulnerabilities. This is something we have seen SAP do more often over the past few months. The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications.

Vulnerabilities have been found to exist in browser controls for Microsoft’s Internet Explorer (IE) and the open source Chromium. The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE.

To secure yourself against the vulnerabilities existing in the IE browser control, it is recommended to simply follow the Windows update process. This is because the browser control for IE hooks into libraries that are patched alongside other Windows updates. As for Chromium, full browser control is delivered with the SAP Business Client. To patch this control, the application of the Support Package Patches mentioned in the note are required.

Below, the remaining two High Priority notes are discussed:

• Denial of Service (DOS) in SAP Business One (#2537150) – This vulnerability has a CVSS score of 7.5. Business One is SAP’s more lightweight ERP system designed for small to medium-sized businesses. The bug actually exists in Apache, and is introduced by the use of Apache as a HTTP server in the Business One service layer. The bug allows an attacker to cause a segmentation fault by carefully sending a specific sequence of request headers to the server. A segfault happens when a program tries to read or write a memory location it is not supposed to. A segfault will crash the program. In this case, the segfault can be generated due to the absence of sufficient user input validation in the Apache function ap_get_token(). This function is allowed to search past the end of its input string causing a buffer overread. For more information, see CVE-2017-7668.

The two aforementioned notes again show the risk of using third-party (open source) libraries in proprietary software. We discussed this extensively in last month’s blog post where we talked about the risks of open source.

• [CVE-2018-2408] Improper Session Management in SAP Business Objects -CMC/BI Launchpad/Fiorified BI Launchpad (#2537150) – This vulnerability has a CVSS score of 7.3. Business Objects (BO or BOBJ) is SAP’s suite of front-end applications which allows customers to effectively process and visualize business intelligence data. The BOBJ vulnerability in this note causes existing user sessions to remain active even after their passwords have been changed. After applying the Support Package Patches mentioned in the note, password changes will be preceded by an alert warning the administrator for the termination of active sessions for the user whose password was changed. On successful password change, active sessions will then be terminated.

Conclusion
This month Nicolás Raus and Pablo Artuso from the Onapsis Research Labs have been acknowledged by SAP on their webpage for their collaboration efforts to keep improving SAP security. As always, we are working on updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements.