This week SAP released the July 2019 Security Notes. There is one Hot News and one critical note published. Below is the YTD Security Note distribution graph, along with a graph highlighting Hot News and critical vulnerabilities. For a full analysis of this month’s SAP Patch Day, visit the Onapsis Research Labs blog post.

 

 

#1 Impacted System and Version – Hot News

SAP Diagnostic Agent (LM-Service); Version - 7.20, CVSS v3.0 Base Score: 9.1 / 10

Solution Manager Diagnostics Agent (SMDA) is the remote component of the End to End (E2E) Root Cause Analysis. It allows a connection between SAP Solution Manager (SolMan) as the Managing System and the Managed System(s) and then collects information from the Managed Systems for reporting purposes.

Dissecting SAP Security Note #2808158.
View Installation steps.



 

According to the SAP Product Security Team and the Onapsis Research Labs, SAP applications can be vulnerable if a SolMan admin executes OS commands through a GAP_ADMIN transaction, in order to perform an  analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory. This vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload. Using this technique, the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access to sensitive information.

The impact of this vulnerability is significant because SolMan is a centralized component in the enterprise landscape. It supports implementation, operational, processing and optimization of business software solutions.

• Unauthorized execution of commands


• Sensitive information disclosure


• Denial of Service

Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.



More Information about SAP Security Note #2808158 can be found here.
Learn more about the SAP Solution Manager on the SAP Help Portal.

#2 Code Injection vulnerability in ABAP Tests Modules of SAP NetWeaver Process Integration CVSS v3.0 Base Score: 8.7 / 10

Extended Computer Aided Test Tool (eCATT) is used to create and execute functional tests. eCATT enables automatic testing in SAP GUI for Windows, it is mainly used to test the configuration settings of a business process. Tcode SECATT.

Dissecting SAP Security Note #2774489



According to the SAP Product Security Team and the Onapsis Research Labs, SAP applications can be vulnerable if an end user executes malicious commands with high privileged permissions.

Impact of the vulnerability is significant.

• Unauthorized execution of commands


• Sensitive information disclosure


• Denial of Service

More information around Security Note #2774489 can be found here.
Learn more about SAP eCATT.

Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.



Many exploitation events are seen shortly after the release of a patch. The dark web buzz begins to pick up with the information provided by SAP Patch Tuesdays. A detailed analysis of the patch helps threat actors immediately take advantage of the previously undisclosed vulnerabilities that remain in unpatched systems.

Organizations should set aside time to deploy security patches, remember, threat actors are not waiting for you. Although the complexity of deploying security patches to production and the change management life cycle in a big enterprise is understandable, it’s equally important that external threat actors are not taking advantage of this loophole. As a recommendation, organizations should have a process for continuous monitoring around SAP vulnerabilities, while at the same time your SAP Basis and security administrators are working on patching the system.