SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated ‘hot news.’ There were also two updates to previously released notes.
Featuring a CVSS score of 10, the most important of the notes addresses a missing authentication check vulnerability (CVE-2020-26829) in SAP NetWeaver AS JAVA (P2P Cluster Communication).
Identified by security researchers at Onapsis, a firm that specializes in securing Oracle and SAP applications, the issue could allow an unauthenticated attacker to perform privileged actions over a TCP connection.
The attacker could install new trusted SSO providers, change the parameters associated with the database connection, and access configuration information. By abusing these actions, the attacker could “gain full privileged access to the affected SAP system or perform a Denial-of-Service attack rendering the SAP system unusable,” Onapsis says.
The security note that addresses the bug is only provided for support packages that are not older than 24 months. However, a manual workaround is provided, to essentially prevent any “potential attackers from connecting to the P2P Server Socket port and from spying the communication between the cluster elements.”
The second ‘hot news’ security note released this month addresses CVE-2020-26831 (CVSS score of 9.6), a missing XML validation flaw in BusinessObjects Business Intelligence Platform (Crystal Report). The bug allows an attacker with basic privileges to inject arbitrary XML entities, thus leaking internal files and directories. Server-side request forgery (SSRF) as well as denial-of-service (DoS) attacks are also possible.
SAP also patched a code injection bug in Business Warehouse (Master Data Management) and BW4HANA (CVE-2020-26838, CVSS score of 9.1). The flaw could have been scored 10, but it requires for an attacker to have high privileges to submit crafted requests leading to arbitrary code execution without user interaction.
The fourth ‘hot news’ note this month addresses a code injection bug in NetWeaver AS ABAP and S/4 HANA (SLT component) that could lead to arbitrary code execution and complete system compromise (CVE-2020-26808, CVSS score 9.1). The note was initially released one day after the November Patch Day.
Another vulnerability in the SLT component of AS ABAP and S/4 HANA that was addressed this month is CVE-2020-26832 (CVSS score 7.6). The issue is a missing authorization check that could allow a high-privileged user to execute functions they should not have access to.
A second ‘high priority’ note issued this month addresses a path traversal and a missing authentication check in Solution Manager (CVE-2020-26837 and CVE-2020-26830, CVSS score of 8.5).
“Exploiting both vulnerabilities, a remote attacker having access to an unprivileged user could partially compromise availability in making certain services unavailable. The exploits would even allow the attacker to gain access to sensitive information such as usernames and passwords that can be used to access other SAP systems in the landscape,” Onapsis explains.
SAP’s Security Patch Day advisory for December 2020 also details six medium- and one low-priority note dealing with unrestricted file upload, formula injection, missing encryption, XSS, content spoofing, improper authentication, and open redirect vulnerabilities.