SAP has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base Score: 7.8). Update is available in SAP Security Note 2153690. An attacker can use Buffer Overflow to inject specially crafted code into working memory. The code will be executed by the vulnerable application under the same privileges that the application has. This can lead to the attacker taking complete control over the application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored in the vulnerable SAP system or escalate their privileges. As for denial of service, it can terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation.
- A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base Score: 7.1). Update is available in SAP Security Note 2155690. An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use the service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
- An XML eXternal Entity vulnerability in SAP System Landscape Directory (CVSS Base Score: 4.9). Update is available in SAP Security Note 2090851. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2152278: SAP ASE Database Platform has an SQL Injection vulnerability (CVSS Base Score: 8.5). An attacker can use SQL Injection with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
- 2121661: SAP ABAP & Java Server has a Running Process Remote Termination vulnerablity (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 2127995: SAP Content Server has a Running Process Remote Termination vulnerability (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate SAP Content Server. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
- 2153892: SAP HANA Web-based Development Workbench has an SQL Injection vulnerability (CVSS Base Score: 6.0). An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations in a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.
Remote code execution in SAP applications
Information security researchers have found many vulnerabilities in LZC/LZH algorithm, using which attackers can execute remote code on client and server hosts.
Many server and client SAP applications use the vulnerable compression algorithm LZC/LZH:
- SAP NetWeaver Application Server ABAP
- SAP NetWeaver Application Server Java
- SAP NetWeaver RFC SDK
- SAP RFC SDK
- SAP GUI
- SAP MaxDB database
- SAPCAR archive tool
They are also used in the following protocols:
- Diag
- RFC
- MaxDB
Let’s look at the found vulnerabilities in detail.
1. Stack-based overflow vulnerability CVE-2015-2282 in compression algorithm LZC
Vulnerable application code:
[..]
int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,
SAP_INT inlen,
SAP_BYTE * outbuf,
SAP_INT outlen,
SAP_INT option,
SAP_INT * bytes_read,
SAP_INT * bytes_written)
[..]
/* Generate output characters in reverse order ...................*/
while (code >= 256)
{
*stackp++ = TAB_SUFFIXOF(code);
overflow
code = TAB_PREFIXOF(code);
}
[..]
Note that the variable "code" contains an attacker-controlled value, which results in a stack overflow if the value is greater than 256 and the value of the code in the prefix table is also greater than 256. It's possible to fill the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.
2. Vulnerability CVE-2015-2278 in compression algorithm LZH
Using this vulnerability, an attacker can read data stored outside the buffer using special package data.
Vulnerable code:
[..]
int CsObjectInt::BuildHufTree (
unsigned * b, /* code lengths in bits (all assumed <= BMAX) */
unsigned n, /* number of codes (assumed <= N_MAX) */
unsigned s, /* number of simple-valued codes (0..s-1) */
int * d, /* list of base values for non-simple codes */
int * e, /* list of extra bits for non-simple codes */
HUFTREE **t, /* result: starting table */
int * m) /* maximum lookup bits, returns actual */
[..]
if (p >= v + n)
{
r.e = INVALIDCODE; /* out of values--invalid code */
}
else if (*p < s)
{ /* 256 is end-of-block code */
r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);
r.v.n = (unsigned short) *p; /* simple code is just the value*/
p++;
}
else
{
r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/
r.v.n = (unsigned short) d[*p - s];
p++;
}
[..]
As you can see, arrays 'e' and 'd' are indexed by the values of "* p - s". As the value of variables 'p' and 's' are under the attacker’s control, they also control the values of arrays 'e' and 'd'.
Attack scenarios
As the vulnerability affects a large number of SAP products, there are multiple attack vectors depending on how the vulnerable code is used in an SAP program.
Examples of vectors:
- Attack on a server component: SAP NetWeaver services Gateway and Dispatcher process compressed data. An attacker can forge requests, create a special attack package, and exploit a Remote Code Execution vulnerability on the server.
- Attack on a client component: the attacker can create a special .CAR or .SAR package, send it to a client, and when they try to unarchive it, the attacker’s commands will be executed on the client's host.
- MitM attack. As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.
Remediation
SAP customers can implement security notes 2124806, 2121661, 2127995, 2125316 at the company's support portal.
SAP has traditionally issued acknowledgments to the security researchers on their website. Checks for the issues are already available in ERPScan Security Monitoring Suite.
Comments