July - Layer Seven Security

Layer Seven SecurityADVISORYSAP Security NotesJuly 2012

In July, SAP released a crucial update for avulnerability in the Archiving Workbenchoriginally patched in February 2011. Note1561545 contains instructions for anautomated correction using the NoteAssistant through transaction SNOTE andoverrides the manual instructions provided inthe earlier Note 1531669.The Archiving Workbench uses archivingobjects to move mass amounts of onlinedata to offline or nearline storage systems.Each SAP document type is archivedthrough a unique archiving object. FinancialAccounting documents, for example, arearchived using the archiving objectFI_DOCUMNT which includes the documentheader, company code-dependent postings,change documents, and other elements. Inanother example, user, authorization andprofile changes are archived through theobjects US_USER, US_AUTH andUS_PROF. The Workbench includes anArchive Development Kit (ADK), whichprovides the runtime environment forarchiving, and a Monitor to review scheduledand completed archiving jobs.SAP Security NotesJuly 2012Archiving is controlled through theS_ARCHIVE authorization object. ADKperforms a check for this object when a usercalls a function module in the ArchivingWorkbench. The object can be configured toprovide read, write, move or deletepermissions. Activity level 01 provides allpermissions, while 03 only allows users todisplay archive files and view settings in thearchive management console. Requiredpermission levels should be defined in theindividual function modules. Notes 1561545and 1531669 are designed to patch missingauthorization checks in certain modules. Asa result, users that should have restrictivepermissions may be able to escalate theirprivileges and move or even delete archiveddata. This could potentially lead to data loss,corruption or theft.

SAP Security Notesby Vulnerability TypeCustomers that have recently upgraded orare planning to upgrade from NetWeaver(NW) 2004 or 7.0 to NW PI 7.10 or NW 7.3should read SAP Note 1724604 very closely.This deals with an alarming vulnerability inthe secure store area of the SAP J2EEEngine. The secure store area is used tostore sensitive data such as passwords inencrypted form. By default, the J2EE Enginestores sensitive data in the file \usr\sap\\SYS\global\security\data\SecStore.properties. This file is createdduring installation and includes theSAPDB and Administrator passwords.The former is used for database connectivityand the latter for system administration. Thecontents of the secure store file are encryptedwith a triple DES algorithm using the SAPJava Cryptology Toolkit. There should be aprompt to change the default key phraseused to generate the encryption key duringthe upgrade procedure. However, this promptis not displayed if the upgrade is performedwith the SAPJup tool with a patch level lowerthan PL 54. As result, some upgradedsystems may still have the default key phraseset on the secure store.Customers that have migrated to SAP’s newand much vaulted HANA database, shouldtake a look a Note 1726160. This patches amemory corruption exploit that could be usedby remote, malicious users to crash databaseoperations and provoke a Denial of Service.

SQL Statements can bypassauthorization checks4Finally, all customers should review Note1728256 which updates newer releases ofJ2EE applications for a SQL injectionvulnerability originally patched in March.Open or native SQL statements can bypassauthorization checks. Therefore, modifiedstrings in SQL statements can lead tounauthorized access to information stored indatabase tables. Note 1728256 applies inputvalidation to counter a vulnerability in theXML Data Archiving Service (XML DAS) thatallows malicious users to retrieve or modifyrestricted data from databases by modifyingstrings in SQL statements generated by theprogram.

Appendix: SAP Security Notes, July 2012PRIORITY NOTE AREA DESCRIPTION1222222222222222222233331561545 CA-GTF-TS-GMA Update 2 to Security Note 15316691746826 BC-BSP Update 1 to security note 16387181740130 BC-XI-IBD Update 2 to Security Note 15038561708116 BC-UPG-TLS-TLA Directory traversal in function module STATUS_EXP from SDBM1715812 SV-SMB-AIO-PFW-SB Unauthorized modification of displayed content in BP-SOLBLD1720994 SV-SMG-SDD Missing authorization check in ST-PI1721309 BC-SRV-PMI Untrusted XML input parsing possible in PMI1723641 BC-XI-CON-AFW Untrusted XML input parsing possible in XI Adapter Framework1724604 BC-UPG-TLS-TLJ SAP Java Upgrade: change the default secure store key phrase1726160 BC-DB-HDB Security issues fixed in SAP HANA Revision 28 and later1581156 BC-FES-ITS ITS: XSS vulnerability on page generated by HTTP handler1591376 CRM-BF-CFG Unauthorized modification of displayed content in CRM IPC1661350 BC-FES-ITS ITS: Replace HTML encoding by new ABAP function1672569 CRM-ISA Unauthorized modification of stored content in CRM-ISA1676010 PA-GE Unauthorized modification of stored content in PA-GE1681997 EP-KM-COL Missing authorization check in EP-KM-COL component1686842 BC-ABA-LA Missing authorization check in ABAP Dump Collector1692691 CRM-ISA-BBS Missing authorization check in CRM-ISA-BBS1696483 FS-AM-ARC FS-AM-ARC/Archiving: Potential disclosure of persisted data1728256 J2EE-APPS Update #2 to security note 15949841699075 BC-CTS-LAN Code injection vulnerability in BC-CTS-LAN1712917 PPM-PRO Missing authorization check in PPM-PRO1661909 EP-KM-WD Potential information disclosure relating to server info1672882 BC-JAS-SEC-UME Unauthorized use of User Mapping functions in portal

Layer Seven SecurityLayer Seven Security specialize in SAP security. We serve customers worldwide to protectinformation assets against internal and external threats and comply with industry and statutoryreporting requirements. The company fuses technical expertise with business acumen todeliver unparalleled audit, consulting and vulnerability assessment solutions targeted atmanaging risks associated with contemporary SAP systems.Our consultants have an average of ten years of experience in field of SAP security andproficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCIDSS and SOX.The company is privately owned and headquartered in Toronto, Canada.AddressWestbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, OntarioL6H 0C3, CanadaWebwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993

© Copyright Layer Seven Security 2012 - All rights reserved.No portion of this document may be reproduced in whole or in part without the priorwritten permission of Layer Seven Security.Layer Seven Security offers no specific guarantee regarding the accuracy orcompleteness of the information presented, but the professional staff of Layer SevenSecurity makes every reasonable effort to present the most reliable information availableto it and to meet or exceed any applicable industry standards.This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp,SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAPproducts and services mentioned herein are trademarks or registered trademarks of SAPAG in Germany and in several other countries all over the world. Business Objects andthe Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius and other Business Objects products and services mentioned hereinare trademarks or registered trademarks of Business Objects in the United States and/orother countries.SAP AG is neither the author nor the publisher of this publication and is not responsiblefor its content, and SAP Group shall not be liable for errors or omissions with respect tothe materials.