SAP Monthly Security bulletin January 2019

Critical issues closed by SAP Security Notes in January

The following SAP Security Notes can patch the most severe vulnerabilities of this update:

  • 2696233: SAP Cloud Connector has several vulnerabilities (CVSS Base Score: 9.3 CVE-2019-0246, CVE-2019-0247). An attacker can use a missing authentication vulnerability to get access to service and read, modify or delete information. In addition, he or she could use administrative or privileged functionalities.
    The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
    Install this SAP Security Note to prevent the risks.
  • 2727624: SAP Landscape Management has an Information Disclosure vulnerability (CVSS Base Score: 9.1 CVE-2019-0249). An attacker can use an Information disclosure vulnerability to reveal additional information (e.g., system data, debugging information, etc.) which will help to explore the system and plan other attacks.
    Install this SAP Security Note to prevent the risks.
  • 2724788: Adobe PDF Print Library has multiple vulnerabilities (CVSS Base Score: 7.3). Depending on a vulnerability, an implementation flaw can result in unpredictable behavior, issues related to system stability and safety. Patches correct configuration errors, add new functionality and improve system stability.
    Install this SAP Security Note to prevent the risks.

Monthly Security bulletin: Critical issues closed in January

The following SAP Security Notes can patch the most severe vulnerabilities of this update:

  • 2696233: SAP Cloud Connector has several vulnerabilities (CVSS Base Score: 9.3 CVE-2019-0246CVE-2019-0247). An attacker can use a missing authentication vulnerability to get access to service and read, modify or delete information. In addition, he or she could use administrative or privileged functionalities.
    The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
    Install this SAP Security Note to prevent the risks.
  • 2727624: SAP Landscape Management has an Information Disclosure vulnerability (CVSS Base Score: 9.1 CVE-2019-0249). An attacker can use an Information disclosure vulnerability to reveal additional information (e.g., system data, debugging information, etc.) which will help to explore the system and plan other attacks.
    Install this SAP Security Note to prevent the risks.
  • 2724788: Adobe PDF Print Library has multiple vulnerabilities (CVSS Base Score: 7.3). Depending on a vulnerability, an implementation flaw can result in unpredictable behavior, isuues related to system stability and safety. Patches correct configuration errors, add new functionality and improve system stability.
    Install this SAP Security Note to prevent the risks.

SAP Cyber Threat Monthly report – October 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

  • Today SAP has released its monthly update consisting of 20 patches with the majority of them rated medium.
  • A security note addressing an Information Disclosure in SAP BusinessObjects (CVE-2018-2471) that can lead to business information leakage has received “Hot News” priority rating.
  • The most common vulnerability type is Information Disclosure.
  • SAP NetWeaver ABAP platform has 40% of all vulnerabilities fixed this month.

SAP Security Notes – October 2018

SAP has released the monthly critical patch update for October 2018. This patch update closes 20 SAP Security Notes (15 SAP Security Patch Day Notes and 5 Support Package Notes). 6 of all the patches are updates to previously released Security Notes.

This month, Information Disclosure is the largest group in terms of the number of vulnerabilities.

This month, 40% of all vulnerabilities belong to the SAP NetWeaver ABAP platform

Information Disclosure in SAP BusinessObjects

SAP BusinessObjects BI (SAP BO, or BOBJ) is an analytics business intelligence (BI) front-end platform. Its reporting applications allow business users to search and analyze data as well as to visualize it and perform predictive analytics. The data is not stored at the application level, but is integrated.

The execution of certain special CMS queries on the Central Management Server bypassing authorization checks can result in information leakage.

Central Management Service is a process running as a part of the BusinessObjects Enterprise servers, including the CMS database, authenticating users, storing access rights, etc. The CMS is the heart of a BusinessObjects Enterprise system; therefore, the leakage may be critical. An attack can be carried out without any rights in the systems by an anonymous user.

Critical issues closed by SAP Security Notes in October

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

  • 2654905: SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks. Install this SAP Security Note to prevent the risks.
  • 2699726: Gardener has a Missing network isolation vulnerability (CVSS Base Score: 8.5 CVE-2018-2475). Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in the corresponding seed cluster. Due to missing network isolation a shoot’s apiserver can access services/endpoints in the private network of its corresponding seed cluster. Combined with other minor Kubernetes security issues, the missing network isolation theoretically can lead to compromise other shoot or seed clusters in the Gardener context. The issue is rated high due to the high impact of a potential exploitation in the Gardener context. In the Gardener context, missing network isolation can enable an attacker who is admin in a shoot cluster to compromise the corresponding seed cluster or other shoot clusters which are controlled by this seed cluster. Install this SAP Security Note to prevent the risks.
  • 2674215: SAP Plant Connectivity (PCo) has a Denial of service (DOS) vulnerability (CVSS Base Score: 8.2 NIST CVE-2018-12585NIST CVE-2018-12586 ). An attacker can use Denial of service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.

 

SAP Cyber Threat Monthly report – November 2018

Key takeaways

  • The recent patch update consists of 16 patches with the majority of them rated medium.
  • The most common vulnerability types are Implementation Flaw and Denial of Service.
  • This month, SAP fixes a security vulnerability in SAP HANA Streaming Analytics with Hot News priority rating (related CVEs – CVE-2018-1270CVE-2018-1275)

SAP Security Notes – November 2018

SAP has released the monthly critical patch update for November 2018. This patch update closes 16 SAP Security Notes (12 SAP Patch Day Notes and 4 Support Package Notes ). 4 of the patches are updates to previously released Security Notes.

The number of released patches is progressively decreasing.

This month, two types of security issues prevalent. Implementation Flaw and Denial of Service are the largest groups in terms of the number of vulnerabilities.

28% of all vulnerabilities belong to the SAP NetWeaver ABAP platform

Critical issues closed by SAP Security Notes in November

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

  • 2681280: SAP HANA Streaming Analytics has a Security vulnerability in Spring Framework (CVSS Base Score: 9.9 CVE-2018-1270CVE-2018-1275). An attacker can use a Remote command execution vulnerability for unauthorized execution of commands remotely. Executed commands will run with a same privileges of a service that executed a command. An attacker can access to arbitrary files and directories located in a SAP server file system including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.
  • 2691126: SAP Fiori Client has multiple vulnerabilities (DoS, HTML Injection, Missing Authorization Check) (CVSS Base Score: 8.6 CVE- 2018-2485CVE-2018-2488 CVE-2018-2491 CVE-2018-2489 CVE-2018-2490) An attacker can use multiple vulnerabilities and exploit one of the listed or mix them together.
    An attacker can use a Denial of service vulnerability to terminate a process of vulnerable component, and nobody would use this service. Missing authorization check vulnerability can be used for accessing a service without authorization procedures and for employing service functionality with restricted access that can lead to information disclosure or attacks like privilege escalation. Cross-site scripting vulnerability allows injecting a malicious script into a page. Reflected XSS feature refers to tricking a user who would follow a malicious link. In case of stored XSS, malicious script is injected and permanently stored in a page body,so that user would be attacked without performing any actions. The malicious script can access critical information that are stored by browser (including all cookies, session tokens, etc.) and used for interacting with a site. An attacker can gain access to user’s session and see all business-critical information or even get control over it. XSS can be used for unauthorized modifying of displayed site content.
    Install this SAP Security Note to prevent the risks.
  • 2657670: Web Intelligence Richclient 3 Tiers Mode has a Denial of service (DOS) vulnerability (CVSS Base Score: 7.7 CVE-2018-2473). An attacker can use a Denial of service vulnerability for terminating a process of avulnerable component, and nobody would use this service. This fact negatively influences business processes, system downtime and business reputation as a result. Install this SAP Security Note to prevent the risks.

 

Secnic Consultancy Services (SCS)Monthly Vulnerability Trend Report — December 2018

This report is aimed to provide customers with an overview of trends in vulnerability disclosures and announcements on a regular basis. Where applicable, the report will provide knowledge of known exploits for trending vulnerabilities and relevant courses of action. This report is not exhaustive in nature and as such, will not include every vulnerability announced that month.

Key Findings:

  • Major updates released for Microsoft Windows, Apple macOS, and Linux.
  • Linux kernels suffered two vulnerabilities which could allow an attacker to remotely cause DoS or DDoS conditions known as SegmentSmack ( CVE-2018–5390 ) and FragmentSmack ( CVE-2018–5391 ).
  • Total of 7 exploits for known vulnerabilities identified since 01 January.

Analysis

Routers

Several vulnerabilities were found affecting MikroTik routers in December:

  • CVE-2018–1159
  • CVE-2018–1158
  • CVE-2018–1157
  • CVE-2018–1156

One vulnerability in particular ( CVE-2018–14847 ) was being actively exploited in a cryptojacking campaign which enslaved devices across Brazil ( MikroTik Routers Enslaved in Massive Coinhive Cryptojacking Campaign ).

Operating Systems

January saw an actively exploited flaw ( CVE-2018–8414 ) in Microsoft Windows Shell, which originates due to improper validation of file paths. By exploiting this flaw, a remote attacker might execute arbitrary code on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page.

Linux suffered two vulnerabilities which could allow an attacker to remotely cause DoS or DDoS conditions known as SegmentSmack ( CVE-2018–5390 ) and FragmentSmack ( CVE-2018–5391 ). The Linux kernel project released an update to address the vulnerabilities ( Linux Kernel Project Rolled Out Security Updates to Fix Two DoS Vulnerabilities ).

A zero-day vulnerability was found in Apple’s macOS High Sierra operating system which could allow a local attacker to virtually “click” a security prompt and load a kernel extension ( Apple 0-Day (Re)Opens Door to ‘Synthetic’ Mouse-Click Attack ).

Security researchers exposed an API-breaking vulnerability in Android-devices (CVE-2018–9489), which allows any application installed on a device to access sensitive information ( Android OS API-Breaking Flaw Offers Useful WiFi Data to Bad Actors ).

Browsers

Microsoft patched a flaw ( CVE-2018–0871 ) in the Edge browser that could allow threat actors to steal local files from a victim’s computer ( Microsoft Edge Flaw Lets Hackers Steal Local Files ).

A severe use-after-free vulnerability ( CVE-2018–8373 ) was also found in the VBScript engine of the latest versions of Windows operating systems and affects Internet Explorer to run ShellCode ( Use-after-free (UAF) Vulnerability CVE-2018–8373 in VBScript Engine Affects Internet Explorer to Run Shellcode ).

Mozilla patched six critical flaws in Firefox:

  • The first critical flaw ( CVE-2018–12359 ) is a buffer overflow bug that occurs while adjusting the computed size of the canvas element for rendering canvas content, which might cause data to be written outside of the computed boundaries.
  • The second critical flaw ( CVE-2018–12360 ) is a use-after-free vulnerability that occurs when deleting an input element during a mutation event handler triggered by focusing that element.
  • The third is a critical integer overflow vulnerability ( CVE-2018–12361 ) that resides in SwizzleData code and occurs while calculating buffer sizes.
  • The two last critical flaws ( CVE-2018–5187 , CVE-2018–5188 ) are comprised of a number of memory safety bugs in Firefox 61, Firefox ESR 60.1, 52.9, and Thunderbird 60. These vulnerabilities might allow attackers to run arbitrary code by exploiting memory corruption.

Databases

Security researchers found a Proof of Concept (PoC) code that can exploit the recently discovered vulnerability ( CVE-2018–11776 ) affecting the Apache Struts framework ( PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability ). This vulnerability is being exploited in the wild as noted below.

IBM patched two severe vulnerabilities ( CVE-2018–11756 , CVE-2018–11757 ) in its IBM Cloud Functions that allowed one to exploit an Apache OpenWhisk vulnerability to overwrite the user functions code ( IBM Cloud Functions Is Affected by Two Function Runtime Vulnerabilities ).

Protocols

Security researchers believe an Iranian telecommunication company hijacked Telegram’s traffic using a well-known BGP Hijacking technique, which allowed them to reroute traffic from IP addresses found in corrupted Internet routing tables ( Telegram Traffic From Around the World Took a Detour Through Iran ).

Security researchers from the Georgia Institute of Technology published details at the Usenix18 conference of a side channel attack on the fixed-window constant-time implementation of RSA inOpenSSL 1.1.0g ( One&Done OpenSSL Side Channel Attack ).

Security researchers have discovered a new spam campaign aimed at targeting corporate networks around the world with the LokiBot malware. Upon infection, Loki Bot steals passwords from browsers, messaging applications, mail and FTP clients ( Loki Bot Steals Corporate Passwords ).

The Internet Systems Consortium (ISC) warned that a severe vulnerability in the “deny-answer-aliases” feature in BIND software could be exploited to launch denial-of-service (DoS) attacks; the feature helps recursive server operators protect users against DNS rebinding attacks ( CVE-2018–5740 ).

Administrative Tools

Security experts discovered that since September 2011 OpenSSH is affected by a serious flaw ( CVE-2018–15919 ), making it still vulnerable to an Oracle attack ( OpenSSH Versions Since 2011 Vulnerable to Oracle Attack ).

Other Vulnerabilities

The following vulnerabilities were also published since 1st July, but do not fit into the categories above:

  • CVE-2018–11616
  • CVE-2018–5925
  • CVE-2018–5924
  • CVE-2018–13415
  • CVE-2018–13417
  • CVE-2018–6970
  • CVE-2018–12989
  • CVE-2018–13416
  • CVE-2017–8988
  • CVE-2017–8989
  • CVE-2018–15132
  • CVE-2018–15202
  • CVE-2018–0871
  • CVE-2017–6213
  • CVE-2017–6215
  • CVE-2017–5692
  • CVE-2018–11338

These include two vulnerabilities in HP Inkjet printers ( CVE-2018–5925 , CVE-2018–5924 ), an out-of-bound memory read vulnerability ( CVE-2018–6970 ) in three VMWare Horizon products, and an information disclosure vulnerability ( CVE-2018–8234 ) in Edge when it improperly marks files, aka “Microsoft Edge Information Disclosure Vulnerability.”

Exploits for Vulnerabilities

Since 01 December, the following exploits of vulnerabilities have been captured as Attack Patterns and TTPs by SCS analysts:

Attack Pattern: Exploitation of CVE-2017–0144 to Drop PowerGhost Script

Attack Pattern: Exploiting CVE-2018–11776 RCE in Apache Struts

Attack Pattern: Exploiting CVE-2018–11776 to download CNRig

Attack Pattern: Scanning for Apache Struts devices vulnerable to CVE-2018–11776

Attack Pattern: Spearphishing with Word Document to Drop RAT by Gorgon Group in Political Campaign

Attack Pattern: Muhstik Botnet used for DDoS attack

Attack Pattern: Exploitation of CVE-2017–0144 to Drop PowerGhost Script

The above Attack Patterns are sometimes related to tactics by threat actors, but also are sometimes observed as behaviors not always linked to a certain adversary. Some of these may come from updated or new Metasploit modules, or they may stem from research into APT groups and their most recent TTPs.

Recommendations

SCS recommends customers apply security updates to their systems as soon as they become available, in order to mitigate against the risks posed by the vulnerabilities mentioned in this report. It is worth noting this report is a summary of the main vulnerabilities we have seen over the course of a month and as such is not reflective of the full list of CVE information published by vendors.

Users should ensure they manually update their own systems dependent even if they are not mentioned in this report.