SAP Releases 13 Security Notes on February 2020 Patch Day

SAP’s February 2020 Security Patch Day brought 13 new Security Notes and updates to 2 previously released Patch Day Security Notes.

The company released three new High priority Security Notes and 10 Medium priority notes this month. The updated Notes include a Hot News one and one Medium priority. 

The Hot News Security Note (CVSS score 9.8) is an update for the supported Chromium version in SAP Business Client, which was initially released on April 2018 Patch Day. 

The first of the High priority notes addresses a Denial of Service (DoS) vulnerability in SAP Host Agent (CVE-2020-6186, CVSS score 7.5). 

The issue impacts user/password authentications operations and is caused by operating system facilities that SAP Host Agent’s authentication uses, Onapsis, a company that specializes in securing Oracle and SAP products, explains. 

“These facilities often delay failed authentication requests in order to handle the negative impact of brute force authentication attacks. SAP Host Agent limits the number of parallel authentication requests so that regular authentication requests might be slowed down due to delayed responses,” Onapsis says. 

Mitigations include restricting access ports to the datacenter network, restricting access ports to trusted networks and addresses only, and allowing certificate-based authentication only. 

The other two High priority Notes patch missing input bugs in SAP Landscape Management (CVE-2020-6191 and CVE-2020-6192, CVSS score 7.2). These issues could allow an attacker to inject commands with malicious content that is executed in the context of user Root or <SID>adm. 

SAP also addressed a missing authorization check in ERP and S/4 HANA (CVE-2020-6188), Cross-Site Scripting (XSS) vulnerabilities in NetWeaver (CVE-2020-6193) and NetWeaver and S/4HANA (CVE-2020-6184 and CVE-2020-6185), an information disclosure in NetWeaver AS Java (CVE-2020-6190), and an HTTP response splitting flaw in NetWeaver and ABAP Platform (CVE-2020-6181). 

Other security bugs patched this month include an unprivileged access to technical data using SAPOSCOL of Host Agent (CVE-2020-6183), information disclosure in BusinessObjects BI Central Management Console (CVE-2020-6189), and missing XML validation vulnerabilities in NetWeaver (CVE-2020-6187) and Mobile Platform (CVE-2020-6177). 

Along with Security Notes released at the end of January, and Support Notes, SAP released a total of 19 Security Notes this month, Onapsis says. 

One of these is a High priority (CVSS score 7.4) Note addressing a missing authorization check in Mobile Platform Native SDK, Android, where data stored in the Federation Library was not protected by default. Thus, if the application developer did not explicitly define permissions to access the library data, it remained unprotected, according to Onapsis.