Latest SAP Security News
Over the past month, several significant events have occurred in the field of SAP security, which I would like to talk about.
First, two major security conferences were held, where the SAP security topic was touched on: BlackHat and Defcon. We (experts from the Digital Security research laboratory ) participated in both events: with a report on SAP at BlackHat and with a report on VMware at Defcon. I mention here a report on VMware, as this presentation confirms that the protection of SAP systems is not only the security of the SAP applications themselves, but also the rest of the infrastructure.
This study was conducted during the penetration testing of the SAP landscape. While our team focused, of course, on SAP applications, Alexander Minozhenko drew attention to the fact that SAP systems were installed on the VMware ESXi platform. That is, even if all the SAP applications in this system were protected, the attacker could still take control of all the systems, gaining access to the ESXi - vSphere management console. Therefore, he was puzzled by the search for a way of unauthorized access to all virtual machines - and found such a method through a number of security holes, including zero-day vulnerabilities.
')
Details can be found in the presentation (in English).
On BlackHat, we talked about SSRF (Server Side Request Forgery class attacks, fake server response) attacks and gave a large number of examples of these attacks. As for SAP, we have demonstrated an example of a targeted attack with the sequential use of a number of vulnerabilities:
A large amount of information is available on this attack on the Web, from our reports to articles in the press and even a video interview:
We also wrote a XXE scanner that helps exploit XXE vulnerabilities. Soon we will release and publish its beta version.
Martin Gallo from CoreSecurity talked about decompression and fuzzing of the DIAG protocol. Many of his discoveries were published earlier, but now he has published details of buffer overflow vulnerabilities in the DIAG protocol. Using these vulnerabilities, an anonymous attacker could conduct a DoS attack. One of the demonstrated vulnerabilities could also lead to code execution. True, the trace in the system must be set to level 3, and this is not very popular in industrial systems.
As readers already know, in the middle of each month, SAP publishes a list of commendations to security researchers who find vulnerabilities in SAP products. Researchers have the right to publish the details of the discovered vulnerabilities on their websites three months later, so that companies that care about their security can install patches.
What can happen to those who do not install patches on time is clear from this note.
Colleagues from Context IS have posted details of the command deployment vulnerability in the SAP HostControl service. They say that "this vulnerability allows 100% reliable execution of arbitrary code on behalf of an SAP administrator without authentication."
The fact is that using a SOAP request with the GetDatabaseStatus SAP HostControl command, performed anonymously in the case of default settings (however, if you work on the system settings, you can disable this function, like many others), you can implement the command that the application will execute command line dbmsrv.exe, which, in turn, will cause dbmcli.exe with parameters obtained from a SOAP request. Thus, you can execute any command in the OS.
The most interesting thing is that (as we told in the SAP Security in Figures report), many companies leave open access to this service from the Internet. Speaking of numbers, 10% of companies using SAP around the world allow remote access to SAP HostControl. What will happen to these companies if cyber fraudsters use this security hole, I think, it’s easy to imagine.
As for protection, this problem can be corrected using SAP Note 1341333. However, in order to protect SAP HostControl from other similar attacks and from problems related to information disclosure, I recommend also setting service / protectedwebmethods = SDEFA parameter. It will protect this service from some methods that need to be protected from remote calls. Read more here .
After that, it is advisable to check the possibility of remote calls using an automatic tool.
ZDI published the details of two vulnerabilities in SAP Crystal Reports and SAP BusinessObjects . The source says: “This bug allows an attacker to remotely execute arbitrary code in vulnerable SAP Crystal Reports systems. Authentication for operation is not required. " The vulnerability is already closed by SAP, and it is somewhat more difficult to exploit than a typical buffer overflow, since this service listens to a random port, so an attacker must first determine if the service is in the system.
Regarding the second vulnerability in SAP Business Objects FI-CO, its operation requires the participation of a legitimate user. CVSSv2 - 7.5 critical, patch can be downloaded here .
New security updates from SAP have been released with 8 thanks from outside researchers, but I’ll tell about them later.
First, two major security conferences were held, where the SAP security topic was touched on: BlackHat and Defcon. We (experts from the Digital Security research laboratory ) participated in both events: with a report on SAP at BlackHat and with a report on VMware at Defcon. I mention here a report on VMware, as this presentation confirms that the protection of SAP systems is not only the security of the SAP applications themselves, but also the rest of the infrastructure.
1. Vulnerabilities in VMware on Defcon
This study was conducted during the penetration testing of the SAP landscape. While our team focused, of course, on SAP applications, Alexander Minozhenko drew attention to the fact that SAP systems were installed on the VMware ESXi platform. That is, even if all the SAP applications in this system were protected, the attacker could still take control of all the systems, gaining access to the ESXi - vSphere management console. Therefore, he was puzzled by the search for a way of unauthorized access to all virtual machines - and found such a method through a number of security holes, including zero-day vulnerabilities.
')
Details can be found in the presentation (in English).
2. BlackHat Presentation on XXE Tunneling in SAP
On BlackHat, we talked about SSRF (Server Side Request Forgery class attacks, fake server response) attacks and gave a large number of examples of these attacks. As for SAP, we have demonstrated an example of a targeted attack with the sequential use of a number of vulnerabilities:
- Unauthorized access to the service Dilbertmsg
- XXE Tunneling (tunneling TCP packets through XML)
- Storing variables in XML in RWX memory
- SAP Kernel buffer overflow
A large amount of information is available on this attack on the Web, from our reports to articles in the press and even a video interview:
We also wrote a XXE scanner that helps exploit XXE vulnerabilities. Soon we will release and publish its beta version.
3. Presentation by Martin Gallo on Defcon, dedicated to the SAP DIAG protocol reversing
Martin Gallo from CoreSecurity talked about decompression and fuzzing of the DIAG protocol. Many of his discoveries were published earlier, but now he has published details of buffer overflow vulnerabilities in the DIAG protocol. Using these vulnerabilities, an anonymous attacker could conduct a DoS attack. One of the demonstrated vulnerabilities could also lead to code execution. True, the trace in the system must be set to level 3, and this is not very popular in industrial systems.
4. Remote command injection in SAP
As readers already know, in the middle of each month, SAP publishes a list of commendations to security researchers who find vulnerabilities in SAP products. Researchers have the right to publish the details of the discovered vulnerabilities on their websites three months later, so that companies that care about their security can install patches.
What can happen to those who do not install patches on time is clear from this note.
Colleagues from Context IS have posted details of the command deployment vulnerability in the SAP HostControl service. They say that "this vulnerability allows 100% reliable execution of arbitrary code on behalf of an SAP administrator without authentication."
The fact is that using a SOAP request with the GetDatabaseStatus SAP HostControl command, performed anonymously in the case of default settings (however, if you work on the system settings, you can disable this function, like many others), you can implement the command that the application will execute command line dbmsrv.exe, which, in turn, will cause dbmcli.exe with parameters obtained from a SOAP request. Thus, you can execute any command in the OS.
The most interesting thing is that (as we told in the SAP Security in Figures report), many companies leave open access to this service from the Internet. Speaking of numbers, 10% of companies using SAP around the world allow remote access to SAP HostControl. What will happen to these companies if cyber fraudsters use this security hole, I think, it’s easy to imagine.
As for protection, this problem can be corrected using SAP Note 1341333. However, in order to protect SAP HostControl from other similar attacks and from problems related to information disclosure, I recommend also setting service / protectedwebmethods = SDEFA parameter. It will protect this service from some methods that need to be protected from remote calls. Read more here .
After that, it is advisable to check the possibility of remote calls using an automatic tool.
5. Remote code execution in SAP Crystal Reports and SAP BusinessObjects from ZDI
ZDI published the details of two vulnerabilities in SAP Crystal Reports and SAP BusinessObjects . The source says: “This bug allows an attacker to remotely execute arbitrary code in vulnerable SAP Crystal Reports systems. Authentication for operation is not required. " The vulnerability is already closed by SAP, and it is somewhat more difficult to exploit than a typical buffer overflow, since this service listens to a random port, so an attacker must first determine if the service is in the system.
Regarding the second vulnerability in SAP Business Objects FI-CO, its operation requires the participation of a legitimate user. CVSSv2 - 7.5 critical, patch can be downloaded here .
6. August Security Updates
New security updates from SAP have been released with 8 thanks from outside researchers, but I’ll tell about them later.
Source: https://habr.com/ru/post/150164/
All Articles