Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases 13 Security Notes on February 2020 Patch Day

SAP’s February 2020 Security Patch Day brought 13 new Security Notes and updates to 2 previously released Patch Day Security Notes.

SAP’s February 2020 Security Patch Day brought 13 new Security Notes and updates to 2 previously released Patch Day Security Notes.

The company released three new High priority Security Notes and 10 Medium priority notes this month. The updated Notes include a Hot News one and one Medium priority. 

The Hot News Security Note (CVSS score 9.8) is an update for the supported Chromium version in SAP Business Client, which was initially released on April 2018 Patch Day. 

The first of the High priority notes addresses a Denial of Service (DoS) vulnerability in SAP Host Agent (CVE-2020-6186, CVSS score 7.5). 

The issue impacts user/password authentications operations and is caused by operating system facilities that SAP Host Agent’s authentication uses, Onapsis, a company that specializes in securing Oracle and SAP products, explains. 

“These facilities often delay failed authentication requests in order to handle the negative impact of brute force authentication attacks. SAP Host Agent limits the number of parallel authentication requests so that regular authentication requests might be slowed down due to delayed responses,” Onapsis says

Mitigations include restricting access ports to the datacenter network, restricting access ports to trusted networks and addresses only, and allowing certificate-based authentication only. 

The other two High priority Notes patch missing input bugs in SAP Landscape Management (CVE-2020-6191 and CVE-2020-6192, CVSS score 7.2). These issues could allow an attacker to inject commands with malicious content that is executed in the context of user Root or <SID>adm. 

SAP also addressed a missing authorization check in ERP and S/4 HANA (CVE-2020-6188), Cross-Site Scripting (XSS) vulnerabilities in NetWeaver (CVE-2020-6193) and NetWeaver and S/4HANA (CVE-2020-6184 and CVE-2020-6185), an information disclosure in NetWeaver AS Java (CVE-2020-6190), and an HTTP response splitting flaw in NetWeaver and ABAP Platform (CVE-2020-6181). 

Other security bugs patched this month include an unprivileged access to technical data using SAPOSCOL of Host Agent (CVE-2020-6183), information disclosure in BusinessObjects BI Central Management Console (CVE-2020-6189), and missing XML validation vulnerabilities in NetWeaver (CVE-2020-6187) and Mobile Platform (CVE-2020-6177). 

Along with Security Notes released at the end of January, and Support Notes, SAP released a total of 19 Security Notes this month, Onapsis says. 

One of these is a High priority (CVSS score 7.4) Note addressing a missing authorization check in Mobile Platform Native SDK, Android, where data stored in the Federation Library was not protected by default. Thus, if the application developer did not explicitly define permissions to access the library data, it remained unprotected, according to Onapsis.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.