Skip to Content

The other day I read about the security problem in the SAP GUI. I got it from one of the Danish computer sites (version2.dk), which had picked up the story at US CERT. I do not follow SAP patched for security updates, since it is not my area of expertise (anymore). I therefore hope that somebody informs me if I have to do something and I should patch my pc.

The vulnerability would allow a malicious website site so execute arbitrary code on the user’s computer. If I read the description correct, it means that an employee with SAP GUI installed will be affected. The vulnerability is found in Note 1142431.
There are two problems with this:

  • There are few people how upgrade their SAP GUIs because it requires a lot of testing to verify that all functions continue works.
  • There are a lot of users in all sizes of companies

There are two fixes either disable the bad ActiveX component or deploy a GUI patch. The disablement is probably not a large problem, since this can be done via Active Directory. Installation of the new GUI can give problems, because of all the testing required. And the business case seems rather bad, if not looked upon with a security ROI model.

So what can the problem be for an organization? If I as an attacker wanted to gain network access to a organizations, which ran SAP, then I would send a mail to some employees with a link to a site, where I had deployed some code used this exploit. I would therefore be able to install any program on the victim’s computers. The program could pick up and send sensitive information to me, or just remote control the computer to make attacks on other parts of the organization.

When searching US-CERT website for security problems for SAP there are only 4 security vulnerabilities since 2007. I don’t know if there are other sites to search for more information.  I believe it is impressive that there have only been found problem with such a complex product. IT must mean that the architecture has been correct or nobody is doing security testing.  

With only 4 SAP security errors the IT organization does not get the same experience in rolling out patches to users as a Windows organization where this is done automatically. The other vulerbilites looked like they were problems on the SAP Server.  I therefore believe that it will take long time before everybody has blocked the vulnerability.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Ravish Yavagal
    Upgrade to SAP GUI for Windows 7.10. This release was created with Microsoft Visual Studio 2005 which offers additional security featues which have been used for this SAP GUI release. Therefore SAP GUI for Windows 7.10 can be considered more secure than the previous releases.

    OR IF YOU HAVE OLDER VERSION OF SAP GUI.

    According to SAP Note #1142431,  we should have new version of MDrmSAP.dll, which you can  downloaded from SAP Note.

    Below is the procedure to replace the existing dll and making the required registry changes

    1.  Rename C:\Program Files\SAP\FrontEnd\Bw\Oleolap\MDrmSAP.dll
         to C:\Program Files\SAP\FrontEnd\Bw\Oleolap\MDrmSAP.dll.old

    2. Copy the MDrmSAP.dll attachment to C:\Program Files\SAP\FrontEnd\Bw\Oleolap

    3. Registery entry changes by executing the reg file SAP_GUI_Killbit_32bit.reg (Just double click on this file)- Download this file from SAP Note 1092631 – Remote vulnerabilities in SAP GUI for Windows

    Checking the registery entry –> new path will be added as below

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B01952B0-AF66-11D1-B10D-0060086F6D97}]
    “Compatibility Flags”=dword:00000400(1024)

    4.  Reboot the PC.

    (0) 
    1. Daniel Graversen
      Hi Ravish,
      Thanks for the guide to fixing problem, which it is possible to fix.
      I more see the problems on how this short fix is applied through out an organisation and people becomes aware of the problem.

      /daniel

      (0) 

Leave a Reply