SAP Security Notes Update January 2020: What You've Missed
Feb 12, '20 by Joerg Schneider-Simon
We’ve said it before: Keeping SAP security patches up to date is one of the most effective ways to prevent a successful cyberattack.
To make that task a bit easier, here is our quick summary of the Security Notes Update that SAP issued in January 2020.
The update reveals that the New Year is beginning as 2019 ended—with familiar vulnerabilities and a common level of priorities.
SAP Security Notes Highlights
- The year is starting with a priority level of Medium. There are 12 new SAP Security Notes in this update:
- 1 High Priority
- 10 Medium Priority
- 1 Low Priority
- Authorization check vulnerabilities. Most of the released notes deal with Missing Authorization Check vulnerabilities
High priority: SAP Enterprise Asset Management add-on
The one High Priority Note is #2871877. It provides multiple corrections to areas of the SAP Enterprise Asset Management (EAM) add-on. These vulnerabilities include:
- Missing Authorization Check vulnerabilities in several Workbenches of MRO (CVSS rated 8.3)
- Directory Traversal vulnerabilities that give attackers the ability to read, overwrite, delete and corrupt arbitrary files on the remote server (CVSS rated 7.2)
Missing Authorization Check vulnerabilities
SAP created a whopping 7 out of 12 security notes because of Missing Authorization Checks. SAP remedied two of the vulnerabilities by creating explicit application-specific authorization checks in RFC-enabled function modules. They fixed another two by creating switchable authorization checks.
RFC-enabled function modules
SAP Leasing and a third-party vendor software component in SAP Solution Manager are also subject to Authorization Check Vulnerabilities (see SAP Security Notes #2495462, #2865348 and #2845401). This is because missing explicit authorization checks in RFC-enabled function modules remain one of the most common vulnerabilities, particularly in custom code. Organizations that rely only on implicit checks on authorization object S_RFC put themselves at considerable risk because authorizations on object S_RFC tend to be far too generous.
Missing Authorization Check in Automated Note Search Tool
SAP Security Note #2863397 also deserves your attention. “Missing Authorization Check in Automated Note Search Tool (SAP_BASIS)” describes how SAP has re-introduced an authorization check in the Automated Note Search Tool (ANST). Some customers removed this authorization check in the years leading up to 2015 because it interfered with users who did not have sufficient authorizations.
In summation, the first SAP Security Notes Update of 2020 is a sober reminder that the third most critical SAP vulnerability is Missing Authorization Checks. The vulnerabilities connected with Missing Authorization are considerable. For one thing, they are easily exploited. And for another, they don’t require special privileges in the system. Since there are roughly two million RFC functions in SAP, these vulnerabilities will continue to reappear in SAP products and custom code, making it vastly important for SAP customers to take note and stay updated.
While Missing Authorization Checks may be the vulnerability that has dominated this most recent Security Notes Update, more familiar vulnerabilities like SQL injections and cross-site scripting continue to appear in almost every other Update. Being aware of all threats and doing what you can (with our help) to protect your SAP system will go a long way toward preventing a successful cyberattack.