Onapsis Webcasttopnotes Final

Title goes here
A Guide to Understanding the Most

Impactful SAP Security Notes of 2014
Alex Horan
Product
Manager
04/11/2014
2014 Onapsis, Inc. All Rights Reserved
CONFIDENTIAL
Agenda
Introductions
Purpose of Webcast
CVSS Explained
Security Note Release Review
Conclusion
CONFIDENTIAL
Introductions
Onapsis
Company focused on the security of ERP systems and business-critical infrastructure
(SAP, Siebel, Oracle E-Business SuiteTM, PeopleSoft, JD Edwards ).
Working with large Global and Government organizations.
What does Onapsis do?
Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).
ERP security consulting services.
Trainings on business-critical infrastructure security.
Alex Horan
Product Manager
Security Presenter
CONFIDENTIAL
Purpose of Webcast
Raising SAP Security Note awareness

SAP Security Note Schedule
Security Note analysis
Security Note best practices
CONFIDENTIAL
CVSS
http://www.first.org/cvss
Common Vulnerability Scoring System (CVSS) is a
vulnerability scoring system designed to provide an
open and standardized method for rating IT
vulnerabilities. CVSS helps organizations prioritize
and coordinate a joint response to security
vulnerabilities by communicating the base, temporal
and environmental properties of a vulnerability
CONFIDENTIAL
January
34 Security Notes Released

Five older security notes were updated due to new
security issues
o 1687668, 1425123, 1675484, 1744747 and 1903266
Highlight Note Details

Number
1922547
Title
Missing authentication check in NW EP iView Wizard
CVSS
6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)
Details
The NW Portal new iview wizard component does not contain authentication checks for checking user's access to some of its functions.
CONFIDENTIAL
February
33 Security Notes Released (67 YTD)
Ten notes addressed hardcoded credentials
o 1914777, 1915873, 1920323, 1738965, 1795463, 1768049, 1911174, 1791081, 1789569
1905408 had a CVSS of 8.3 (AV:N/AC:M/AU:N/C:P/I:P/A:C)

1846438 has a CVSS of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Number
1963100
Title
Disabling execution of operating system commands using a CTC URL
CVSS
9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
Details
The CTC application contains vulnerability where any operating system command can be executed on an AS Java host using NWA
credentials through a URL invocation. Typically, this requires authentication using NWA credentials. If you have not already implemented
SAP security note 1445998, then this can be done without authentication using NWA credentials.
CONFIDENTIAL
March
First HANA vulnerabilities reported by third party
Number
1965610
Title
Code injection vulnerability in external commands
CVSS
7.5 (AV:N/AC:M/AU:S/C:P/I:P/A:C)
Details
The program code contains a possibility to define and execute operating system commands that changes the behavior of the system. A
valid and authenticated user is required.
Depending on the command, the user can:
inject and run their own code,

obtain additional information that should not be displayed,
modify data
delete data,
modify the output of the system,
create new users with higher privileges,
perform a denial-of-service attack.
CONFIDENTIAL
April
6 Notes with a CVSS score of 6.0
o Two allow for arbitrary ABAP code execution

Number
1985100
Title
Code injection vulnerability in Class Enhancements
CVSS
6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
Details
The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and
authenticated user is required. Depending on the code, the user can:
modify data, delete data,
perform a denial of service attack.
CONFIDENTIAL
May
3 Notes released related to the Heartbleed vulnerability

Number
2015882
Title
Apache Struts 2 Vulnerability in SAP Online Banking
CVSS
Not reported by SAP NVD reported: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112
Details
The excluded parameter pattern introduced in Apache Struts version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is
possible to omit that with specially crafted requests.
According to NVD: ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which
allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-0094.
CONFIDENTIAL
10
June
8 Notes with CVSS of 5.0 or higher

Number
2007530
Title
Invalid User Authentication in Unix SAP Content Server
CVSS
7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Details
BC-SRV-KPR-CS does not perform authentication checks when the shadow passwords are enabled. This may result in undesired system
behavior.
CONFIDENTIAL
11
July
Vulnerability patched in Afaria server

Number
2036562
Title
Potential modification of persisted data in Afaria Server
CVSS
8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by
an attacker. The manipulated SQL statement can then be used to modify information in the database.
CONFIDENTIAL
12
August
3 Notes over 8.0

Number
2053074
Title
Potential modification of persisted data in Afaria Server
CVSS
8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by
an attacker. The manipulated SQL statement can then be used to modify information in the database.
CONFIDENTIAL
13
September
Note published for SAP ONE CLOUD solution

Number
1979454
Title
Missing authorization check in Batch Input Recorder
CVSS
6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
Details
Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its
functions. This may result in undesired system behavior.
CONFIDENTIAL
14
October
Hot News item delivered
Number
2043404
Title
Code injection vulnerability in CRM-ISA
CVSS
9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) (originally released as a 7.5 updated by Note 2085139 on 28.10.2014
Details
Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its functions.
The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and
authenticated user is not required. Depending on the code, the user can:
modify data, delete data,
perform a denial of service attack.
CONFIDENTIAL
15
Conclusion
Create a process to review new notes

Have a procedure to monitor old notes for
changes
Understand the risk the notes mean for you
Reduce the risk to an acceptable level
Monitor for changes to risk
Once the above is defined, automate.
CONFIDENTIAL
16
Questions?
Title goes here
Alex Horan: ahoran@onapsis.com
CONFIDENTIAL
17

Onapsis Webcasttopnotes Final

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Onapsis Webcasttopnotes Final

Transféré par

Droits d'auteur :

Formats disponibles

Title goes here

A Guide to Understanding the Most

2014 Onapsis, Inc. All Rights Reserved

Company focused on the security of ERP systems and business-critical infrastructure

(SAP, Siebel, Oracle E-Business SuiteTM, PeopleSoft, JD Edwards ).

Working with large Global and Government organizations.

What does Onapsis do?

ERP security consulting services.

Trainings on business-critical infrastructure security.

2014 Onapsis, Inc. All Rights Reserved

Raising SAP Security Note awareness

2014 Onapsis, Inc. All Rights Reserved

2014 Onapsis, Inc. All Rights Reserved

34 Security Notes Released

Highlight Note Details

Missing authentication check in NW EP iView Wizard

2014 Onapsis, Inc. All Rights Reserved

1905408 had a CVSS of 8.3 (AV:N/AC:M/AU:N/C:P/I:P/A:C)

Disabling execution of operating system commands using a CTC URL

2014 Onapsis, Inc. All Rights Reserved

Code injection vulnerability in external commands

inject and run their own code,

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Code injection vulnerability in Class Enhancements

inject and run their own code,

obtain additional information that should not be displayed,

modify data, delete data,

modify the output of the system,

create new users with higher privileges,

perform a denial of service attack.

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Apache Struts 2 Vulnerability in SAP Online Banking

Not reported by SAP NVD reported: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Invalid User Authentication in Unix SAP Content Server

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Potential modification of persisted data in Afaria Server

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Potential modification of persisted data in Afaria Server

2014 Onapsis, Inc. All Rights Reserved

Highlight Note Details

Missing authorization check in Batch Input Recorder

2014 Onapsis, Inc. All Rights Reserved

Code injection vulnerability in CRM-ISA

9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) (originally released as a 7.5 updated by Note 2085139 on 28.10.2014

inject and run their own code,

obtain additional information that should not be displayed,

modify data, delete data,

modify the output of the system,

create new users with higher privileges,

perform a denial of service attack.

2014 Onapsis, Inc. All Rights Reserved

Create a process to review new notes

2014 Onapsis, Inc. All Rights Reserved

2014 Onapsis, Inc. All Rights Reserved

Vous aimerez peut-être aussi