Upload
nizartcs
View
221
Download
0
Embed Size (px)
Citation preview
8/10/2019 Onapsis Webcasttopnotes Final
1/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved04/11/2014
1
Title goes here
Alex HoranProduct Manager
A Guide to Understanding the MostImpactful SAP Security Notes of 2014
8/10/2019 Onapsis Webcasttopnotes Final
2/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
Introductions Purpose of Webcast
CVSS Explained Security Note Release Review Conclusion
Agenda
8/10/2019 Onapsis Webcasttopnotes Final
3/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
OnapsisCompany focused on the security of ERP systems and business-critical infrastructure
(SAP, Siebel, Oracle E-Business SuiteTM, PeopleSoft, JD Edwards ).
Working with large Global and Government organizations.
What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).
ERP security consulting services.
Trainings on business-critical infrastructure security.
Alex HoranProduct ManagerSecurity Presenter
3
Introductions
8/10/2019 Onapsis Webcasttopnotes Final
4/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
Raising SAP Security Note awareness SAP Security Note Schedule Security Note analysis Security Note best practices
4
Purpose of Webcast
8/10/2019 Onapsis Webcasttopnotes Final
5/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
http://www.first.org/cvss Common Vulnerability Scoring System (CVSS) is avulnerability scoring system designed to provide anopen and standardized method for rating IT
vulnerabilities. CVSS helps organizations prioritizeand coordinate a joint response to securityvulnerabilities by communicating the base, temporaland environmental properties of a vulnerability
5
CVSS
http://www.first.org/cvsshttp://www.first.org/cvsshttp://www.first.org/cvss8/10/2019 Onapsis Webcasttopnotes Final
6/17
CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
34 Security Notes Released Five older security notes were updated due to new
security issueso 1687668, 1425123, 1675484, 1744747 and 1903266
6
January
Highlight Note Details
Number 1922547
Title Missing authentication check in NW EP iView Wizard
CVSS 6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)
Details The NW Portal new iview wizard component does not contain authentication checks for checking user's access to some of its functions.
8/10/2019 Onapsis Webcasttopnotes Final
7/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
33 Security Notes Released (67 YTD) Ten notes addressed hardcoded credentials
o 1914777, 1915873, 1920323, 1738965, 1795463, 1768049, 1911174, 1791081, 1789569
1905408 had a CVSS of 8.3 (AV:N/AC:M/AU:N/C:P/I:P/A:C) 1846438 has a CVSS of 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
7
February
Highlight Note Details
Number 1963100
Title Disabling execution of operating system commands using a CTC URL
CVSS 9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
Details The CTC application contains vulnerability where any operating system command can be executed on an AS Java host using NWAcredentials through a URL invocation. Typically, this requires authentication using NWA credentials. If you have not already implemented
SAP security note 1445998, then this can be done without authentication using NWA credentials.
8/10/2019 Onapsis Webcasttopnotes Final
8/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
9 Security Notes Released (76 YTD) First HANA vulnerabilities reported by third party
8
March
Highlight Note Details
Number 1965610
Title Code injection vulnerability in external commands
CVSS 7.5 (AV:N/AC:M/AU:S/C:P/I:P/A:C)
Details The program code contains a possibility to define and execute operating system commands that changes the behavior of the system. Avalid and authenticated user is required.Depending on the command, the user can:
inject and run their own code, obtain additional information that should not be displayed,
modify data delete data, modify the output of the system, create new users with higher privileges, perform a denial-of-service attack.
8/10/2019 Onapsis Webcasttopnotes Final
9/17
8/10/2019 Onapsis Webcasttopnotes Final
10/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
17 Security Notes Released (116 YTD) 3 Notes released related to the Heartbleed vulnerability
10
May
Highlight Note Details
Number 2015882
Title Apache Struts 2 Vulnerability in SAP Online Banking
CVSS Not reported by SAP NVD reported: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0112
Details The excluded parameter pattern introduced in Apache Struts version 2.3.16.1 to block access to getClass() method wasn't sufficient. It ispossible to omit that with specially craf ted requests.
According to NVD: ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass m ethod, whichallows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability existsbecause of an incomplete fix for CVE-2014- 0094.
8/10/2019 Onapsis Webcasttopnotes Final
11/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
21 Security Notes Released (137 YTD) 8 Notes with CVSS of 5.0 or higher
11
June
Highlight Note Details
Number 2007530
Title Invalid User Authentication in Unix SAP Content Server
CVSS 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
Details BC-SRV-KPR-CS does not perform authentication checks when the shadow passwords are enabled. This may result in undesired systembehavior.
8/10/2019 Onapsis Webcasttopnotes Final
12/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
14 Security Notes Released (151 YTD) Vulnerability patched in Afaria server
12
July
Highlight Note Details
Number 2036562
Title Potential modification of persisted data in Afaria Server
CVSS 8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered byan attacker. The manipulated SQL statement can then be used to modify information in the database.
8/10/2019 Onapsis Webcasttopnotes Final
13/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
37 Security Notes Released (188 YTD) 3 Notes over 8.0
13
August
Highlight Note Details
Number 2053074Title Potential modification of persisted data in Afaria Server
CVSS 8.8 (AV:N/AC:M/AU:N/C:N/I:C/A:C)
Details The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered byan attacker. The manipulated SQL statement can then be used to modify information in the database.
8/10/2019 Onapsis Webcasttopnotes Final
14/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
29 Security Notes Released (217 YTD) Note published for SAP ONE CLOUD solution
14
September
Highlight Note Details
Number 1979454Title Missing authorization check in Batch Input Recorder
CVSS 6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
Details Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of itsfunctions. This may result in undesired system behavior.
8/10/2019 Onapsis Webcasttopnotes Final
15/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
34 Security Notes Released (251 YTD) Hot News item delivered
15
October
Highlight Note Details
Number 2043404
Title Code injection vulnerability in CRM-ISA
CVSS 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) (originally released as a 7.5 updated by Note 2085139 on 28.10.2014
Details Batch Input Recorder does not contain authorization checks for checking an authenticated users authorization to access some of its functions.The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid andauthenticated user is not required. Depending on the code, the user can: inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges,
perform a denial of service attack.
8/10/2019 Onapsis Webcasttopnotes Final
16/17CONFIDENTIAL 2014 Onapsis, Inc. All Rights Reserved
Create a process to review new notes Have a procedure to monitor old notes for
changes Understand the risk the notes mean for you Reduce the risk to an acceptable level Monitor for changes to risk Once the above is defined, automate.
16
Conclusion
8/10/2019 Onapsis Webcasttopnotes Final
17/17CONFIDENTIAL 2014 Onapsis Inc All Rights Reserved 17
Title goes hereQuestions?
Alex Horan: [email protected]