Dissecting SAP Patch Tuesday for June 2019
This week SAP released the June 2019 Security Notes. There is one HotNews and one critical note published. Below is the YTD Security Note distribution graph, along with a graph highlighting HotNews and critical vulnerabilities. For a full analysis of this month’s SAP Patch Day, visit the Onapsis Research Labs blog post.
#1 Impacted System and Version – HotNews
SAP Business Client; version – 6.5 PL5 and above; CVSS score 9.8
SAP Business Client is a user interface client that presents a single entry point to different SAP business applications and technologies. SAP Business Client supports single sign-on, so there is no need to login at multiple places to access different applications.
Dissecting SAP Security Note #2622660
For the first time in SAP Business Client history, starting with version 6.5, SAP has offered a Chromium web browser control based on Chromium Embedded Framework (CEF) as an alternative to Microsoft Internet Explorer. You can now use the browser control Chromium for displaying HTML content within the SAP Business Client. According to the SAP Product Security Team and the Onapsis Research Labs, SAP applications can be vulnerable if the SAP Business Client is running on an outdated Chromium application.
The CVSS score for this vulnerability is high because if the SAP Business Client release is not updated accordingly, this could lead to:
- Unplanned downtime
- A breach disclosing sensitive Information
- Memory corruption
- System information disclosure or system crash in worst cases
- Vulnerabilities with a direct impact on confidentiality, integrity and availability of the system
- Information being gathered for future attacks, possibly with more severe consequences
Learn more about the SAP Business Client on the SAP Help Portal.
#2 Impacted System and Version – Critical Note
Solution Manager, version – 7.2; CVSS score 7.1 , CVE-2019-0291
SAP Solution Manager, aka SolMan, is an SAP application that provides key support to IT infrastructure for SAP applications in a distributed environment.
Dissecting SAP Security Note #2748699
CA Introscope helps in monitoring and managing Java applications. It consists of a component called the Introscope Enterprise Manager (EM), and an Introscope Java agent is installed on the managed systems. For Solution Manager capability Monitoring and Alerting Infrastructure (MAI) the CA Introscope Enterprise Manager (EM) offers the service Introscope Push to actively push monitoring metrics from EM to Solution Manager. Introscope Push is calling a Web Service of Solution Manager that needs authentication.
The issue surrounds how the user credentials are stored, according to SAP if these credentials are compromised under certain conditions, Solution Manager 7.2 allows an attacker to access information which would otherwise be restricted. Some well-known impacts are:
- Loss of information and system configuration confidentiality
- Information gathering for further exploits and attacks
Note : As you deploy the OSS (On-line Service System, that helps users to get fast and effective help from SAP) notes, do not ignore the manual notes recommended.
Learn more about SAP Solution Manager here.
Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.
Many exploitation events are seen shortly after the release of a patch. The dark web buzz begins to pick up with the information provided by SAP Patch Tuesdays. A detailed analysis of the patch helps threat actors immediately take advantage of the previously undisclosed vulnerabilities that remain in unpatched systems.
Organizations should set aside time to deploy security patches, remember, threat actors are not waiting for you. Although the complexity of deploying security patches to production and the change management life cycle in a big enterprise is understandable, it’s equally important that external threat actors are not taking advantage of this loophole. As a recommendation, organizations should have a process for continuous monitoring around SAP vulnerabilities, while at the same time your SAP Basis and security administrators are working on patching the system.