Latest SAP Security News

Over the past month, several significant events have occurred in the field of SAP security that I would like to talk about.

First, there were two major security conferences that addressed the subject of SAP security: BlackHat and Defcon. We (specialists at the Digital Security research lab ) participated in both events: with a report on SAP on BlackHat and a report on VMware on Defcon. I mention the VMware report here, as this presentation confirms that the protection of SAP systems lies not only in the security of the SAP applications themselves, but also in the rest of the infrastructure.

1. Vulnerabilities in VMware on Defcon

This study was conducted while testing the SAP landscape for penetration. While our team focused, naturally, on SAP applications, Alexander Minozhenko drew attention to the fact that SAP systems were installed on the VMware ESXi platform. That is, even if all SAP applications in this system were protected, an attacker could still take control of all systems by gaining access to the ESXi management console - vSphere. Therefore, he was puzzled by the search for a method of unauthorized access to all virtual machines - and found such a method using a number of security holes, including zero-day vulnerabilities.

Details can be found in the presentation (in English).

2. Presentation at BlackHat on XXE Tunneling in SAP

At BlackHat, we talked about SSRF (Server Side Request Forgery) attacks and provided a large number of examples of these attacks. Speaking specifically about SAP, we demonstrated an example of a targeted attack using several vulnerabilities in sequence:

  • Unauthorized access to the Dilbertmsg service
  • XXE Tunneling (TCP packet tunneling through XML)
  • Storing in RWX memory variables sent via XML
  • Buffer overflow in SAP Kernel

A lot of information is available about this attack on the Web, from our reports to articles in the press and even video interviews:

We also wrote a XXE scanner to help exploit XXE vulnerabilities. Soon we will release and publish its beta version.

3. Presentation of Martin Gallo at Defcon, dedicated to the reversal of the SAP DIAG protocol

CoreSecurity Martin Gallo talked about the decompression and fuzzing of the DIAG protocol. Many of his discoveries were published earlier, but now he has released details of the buffer overflow vulnerabilities in the DIAG protocol. Using these vulnerabilities, an anonymous attacker could conduct a DoS attack. One of the vulnerabilities demonstrated could also lead to code execution. True, the trace in the system must be set to level 3, and this is not very popular in industrial systems.

4. Remote command injection in SAP

As readers already know, in the middle of each month, SAP publishes a thank you list to security researchers who have found vulnerabilities in SAP products. Researchers have the right to publish details of detected vulnerabilities on their websites three months later, so that companies that care about their security can install patches.

What can happen to those who do not install patches on time is clear from this post.

Colleagues from Context IS have published details of the command injection vulnerability in the SAP HostControl service. They say that "this vulnerability allows 100 percent reliability to execute arbitrary code on behalf of the SAP administrator without authentication."

The fact is that using a SOAP request with the GetDatabaseStatus command to the SAP HostControl, performed anonymously in the case of default settings (however, if you work on the system settings, you can disable this function, like many others) - you can implement a command that will be executed by the application dbmsrv.exe command line, which, in turn, will call dbmcli.exe with parameters obtained from the SOAP request. Thus, you can execute any command in the OS.

The most interesting thing is that (as we described in the report “ SAP Security in Figures »), Many companies leave open access to this service from the Internet. Speaking of numbers, 10% of companies using SAP around the world allow remote access to SAP HostControl. What will happen to these companies if cyber fraudsters use this security hole, I think it’s easy to imagine.

As far as security is concerned, this problem can be fixed with SAP Note 1341333. However, in order to protect SAP HostControl from other similar attacks and problems related to information disclosure, I recommend setting the service / protectedwebmethods = SDEFAULT parameter as well. It will protect this service from some methods that need to be protected from remote calls. More details here .

After that, it is advisable to check the possibility of remote calls using the automatic tool.

5. Remote code execution in SAP Crystal Reports and SAP BusinessObjects from ZDI

ZDI published details of two vulnerabilities in SAP Crystal Reports and SAP BusinessObjects . The source says: “This bug allows an attacker to remotely execute arbitrary code on vulnerable SAP Crystal Reports systems. Authentication for operation is not required. ” The vulnerability is already closed by SAP, and it’s more difficult to exploit it than a typical buffer overflow, since this service listens to a random port, so the attacker must first determine if this service is available in the system.

As for the second vulnerability in SAP Business Objects FI-CO, for its operation requires the participation of a legitimate user. Criticality according to CVSSv2 - 7.5, the patch can be downloaded here .

6. August security updates

New security updates from SAP have been released with 8 thanks to outside researchers, but I will talk about them later.