Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

SAP Security Notes, April 2017

DZone's Guide to

SAP Security Notes, April 2017

Have you been affected by the latest SAP vulnerabilities? Read on to learn a little more about them, and how to patch them.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

To help everyone who is engaged in the SAP patching process, the ERPScan research team conducted a detailed review of the released SAP Security notes. This analysis would also be helpful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing.

SAP Security Notes April 2017 in Review

Aprils’s batch of security patches includes 17 SAP Security Patch Day Notes and 10 Support Package Notes. 5 Notes are updates to previously released Security Notes.

5 of the released SAP Security Notes has a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.4.

SAP Security Notes Distribution by Priority


Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.

SAP Security Notes Distribution by Stack


The most common vulnerability type is Missing Authorization Check.

SAP Security Notes Distribution by Vulnerability Type


Priority vs. Application Type Distribution

The fact that SAP Systems are complex is common knowledge. However, when it comes to SAP patching, one should take it into account. To simplify this process, the ERPScan research team created a table demonstrating a distribution between priority and application area.


Hot News High Medium Low
SAP Higher Education & Research 1830630
Financial Accounting (Cili) 1959110
1951071
Logistic-General 2427949
2088593
Basis Components 2419592 2421287
2407616
1450166
2410082
2372301
2406783
2400292
2308535
2417355
2423486
2433458
2374348
Financials 2426076
Business intelligence solutions 2403010
Enterprise Portal 2387249
2323727
Financial Services 2446435
2452697
2443232
Cross-Application Components 2391018
Controlling 2318953


The Most Critical Issues of SAP Security Notes April 2017

The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • A Remote command execution vulnerability in SAP TREX/BWA (CVSS Base Score: 9.4). An update is available via the SAP Security Note 2419592. A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command. The vulnerable component is integrated into more than a dozen SAP products, including flagship SAP HANA. 
  • 2421287: SAP SAPLPD has a Denial of Service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of Service vulnerability for terminating a process of the vulnerable component. While that process is terminated from its component, nobody can use this service, which negatively influences business processes, system downtime, and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2410082: SAP Web Dynpro Flash Island has an XML external entity vulnerability (CVSS Base Score: 7.5). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by an XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to the OS file system. Install this SAP Security Note to prevent the risks.

SAP TREX – Patching Process

The vulnerability in the TREXNet Protocol is the most severe within the patch update as it allows the execution of some sensitive operations anonymously over the network. The executed commands can be combined to potentially get an RCE on the server. Let’s look closer at the patching process.

1. First of all, to check your version of the installed SAP TREX, go to Help -> About.

2. Click on the Details button.

The version of the TREX is 7.10 with 50 SP.

3. Go to SAP Security Note 2419592 and choose the required version of the patch. You will be redirected to the SAP Launchpad.

4. Choose your OS and download the required patch. As an example, we used Windows OS, so we downloaded TREX71_74-10004511.SAR

5. Log into the system as <trxsid>adm.

6. Extract the downloaded file using sapcar tools.

To do so, go to a folder where the patch was downloaded and execute sapcar with the command -xvf

7. Go to the extracted folder and update TREX by using the following command:

install.cmd —action=update —sid=TRX —password=ERPScanTREXPasswordAntiHacker2017 

Press Enter and wait.

8. After updating you will receive the status, SUCCESSFUL.

Note: check the logs and delete critical information like passwords stored in plain text. Check entry point OPTIONS in the log:

 OPTIONS: ['--action=update', '--sid=TRX', '--password=ERPScanTREXPasswordAntiHacker2017', '--logdir=C:\\Users\\trxadm\\AppData\\Local\\Temp\\3\\trex_install_2017-04-18_03.14.54']

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
security ,sap ,vulnerabilities ,patching

Published at DZone with permission of alexander polyakov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}