As part of its December 2020 Security Patch Day, SAP released eleven security notes this week, including four that were classified ‘hot news.’ There were two changes to previously released notes as well.
The most important of the notes, with a CVSS score of 10, discusses a missing authentication control deficiency (CVE-2020-26829) in SAP NetWeaver AS JAVAA (P2P Cluster Communication).
The problem could cause an unauthenticated attacker to execute privileged acts over a TCP connection, discovered by security researchers at Onapsis, a company that specialises in protecting Oracle and SAP applications.
The intruder may instal new trusted SSO providers, alter the parameters associated with the database connection, and access configuration information. The attacker may “obtain full privileged access to the affected SAP system or carry out a Denial-of-Service attack that renders the SAP system unusable” by exploiting these actions, says Onapsis.
Only service bundles that are not older than 24 months are supplied with a security notice that fixes the bug. A manual workaround is offered, however to effectively prevent any “potential attackers from connecting to the P2P Server Socket port and spying on cluster element communication.”
CVE-2020-26831 (CVSS ranking of 9.6), a missed XML validation bug in the BusinessObjects Business Intelligence Framework, is the second ‘hot news’ security notice published this month (Crystal Report). The flaw helps an attacker to inject arbitrary XML entities with simple rights, thereby leaking internal files and folders. Forgery of server-side requests (SSRF) as well as denial-of-service attacks (DoS) are also likely.
In Company Warehouse (Master Data Management) and BW4HANA, SAP also patched a code injection error (CVE-2020-26838, CVSS score of 9.1). The bug may have been scored 10, but without user intervention, it allows an attacker to have high privileges to make designed requests leading to arbitrary code execution.
This month’s fourth ‘hot news’ notice discusses a NetWeaver AS ABAP and S/4 HANA (SLT component) code injection flaw that could lead to arbitrary code execution and maximum machine vulnerability compromise (CVE-2020-26808, CVSS score 9.1). Initially, the note was published one day after Patch Day in November.
CVE-2020-268322 is another weakness in the SLT portion of AS ABAP and S/4 HANA that was discussed this month (CVSS score 7.6). The problem is a missed permission check that might cause a high-privileged user to execute functionality that they do not have access to.
A second high priority’ notice released this month tackles a route traversal and a missed authentication search in Solution Manager (CVE-2020-26837 and CVE-2020-26830, CVSS score of 8.5).
A remote intruder with access to an unprivileged account could partly compromise usability by rendering those resources inaccessible by leveraging both vulnerabilities. The vulnerabilities will also allow the attacker to obtain access to confidential information that can be used to access other SAP programmes in the landscape, such as usernames and passwords, Onapsis describes.
SAP’s December 2020 Security Patch Day advisory also outlines six medium and one low-priority notices dealing with unregulated file transfer, formula injection, missing encryption, XSS, spoofing of content, inappropriate authentication, and bugs for accessible redirect.