SAP Patches Multiple HANA Vulnerabilities in March Update

SAP users are at risk from "very high" priority vulnerabilities that impact the Self Service features in the SAP HANA database product portfolio.

Security flaw

Enterprise software giant SAP released its monthly patch update for March this week, providing users with 25 new security notes in addition to updates for two existing notes. In SAP's nomenclature, a security note is what most other vendors refer to as a security advisory, with added information for risk mitigation.

Among the standout issues this month are multiple vulnerabilities in the SAP HANA database system. In fact, the highest severity issue this month, identified as Security Note 2424173, is a Self Service issue in SAP HANA that has a Common Vulnerability Scoring System (CVSS) score of 9.8. As it turns out, all of the SAP HANA vulnerabilities were reported by a single security research firm, Onapsis.

Security Note 2424173 actually comprises 10 related vulnerabilities in the SAP HANA Self Service system, Sebastian Bortnik, head of Research Labs at Onapsis, told eWEEK. According to SAP, the 2424173 issues are a risk because an attacker could potentially take control of an unpatched SAP HANA system.

"However, this affects only customers if the optional User Self Service component (disabled by default) has been enabled and exposed to an untrusted network," Holger Mack, security lead at SAP, wrote in a blog post. The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure)."

According to Onapsis' analysis of the Self Service flaws, the vulnerable SAP HANA Self Service component could result in attacks such as a full system compromise without the attacker first needing any type of previous authentication.

"Critical data and information (ie. financial information, PII, credit cards, HR and customer data, business trade secrets, etc) can be stolen, altered or deleted by an attacker," Onapsis wrote in its analysis. "It is important to mention that none of these attacks need any interaction from the SAP HANA administrator users."

Onapsis also reported a session fixation vulnerability in SAP HANA that was given a CVSS score of 8.8 and is detailed in SAP Security Note 2429069. According to SAP's Mack, the vulnerability could allow an attacker to elevate privileges by impersonating another user in the system. The issue according to Onapsis has to do with not enough randomness in the SAP HANA session key.

"In this case, an attacker can do a kind of brute force attack to guess a session key, since it is not completely random," Bortnik told eWEEK. "So, it is not as easy as replicating a session key, but rather there is not enough randomization on it."

There are a total of seven high-priority notes in the March update, including a remote command execution bug in the SAP GUI for Windows and a pair denial-of-service flaws in the SAP Visual Composer and in the SAP NetWeaver Dynpro Engine. Additionally, the SAP March update provides security notes for eight cross-site scripting (XSS) issues as well as a pair of low-impact SQL injection vulnerabilities.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.