This month SAP released 11 Security Notes as part of the Patch Day – July 2019. One of them is a Hot News Note that addresses a critical vulnerability in Diagnostics Agent tracked as CVE-2019-0330.
The vulnerability is an OS command injection issue that could be exploited to fully compromise the SAP system, it received a CVSS score of 9.1.
The Diagnostics Agent is a central component of the SAP Solution Manager system landscape. It allows to manage monitoring and diagnostics events communications between every SAP system and Solution Manager that allows administrators to execute OS commands through a GAP_ADMIN transaction.
Each command is validated using a whitelist file that is present in the Diagnostic Agent installation directory. The CVE-2019-0330 flaw could be exploited by an attacker to bypass the validation process by sending a specially crafted payload.
“Using its basic functionality, a SolMan admin can execute OS commands through a GAP_ADMIN transaction, in order to perform analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory.” reads the analysis published by Onapsis. “This vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload. Using this technique the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access sensitive information (such as credentials and critical business information), changing application configurations or even stopping SAP services.”
Experts pointed out that the SDMAgent must be installed in every SAP system for diagnostic purposes, this means that the extent of the attack is broad and could affect the entire landscape.
SAP also released a High priority Security Note that addresses a code injection flaw, tracked as CVE-2019-0328, that affects the ABAP Tests Modules of NetWeaver Process Integration.
The CVE-2019-0328 vulnerability received a CVSS score of 8.7.
The flaw resides in the Extended Computer Aided Test Tool (eCATT), a tool used to cover automatic testing in SAP business processes.
July 2019 Patch Day updates also address other 9 Medium severity flaws: Denial of service in Commerce Cloud (CVE-2019-0322), XSS in OpenUI5 (CVE-2019-0281), XSS in Information Steward (CVE-2019-0329), XSS in ABAP (CVE-2019-0321), XSS in SAP BusinessObjects (CVE-2019-0326), Unrestricted File Upload in NetWeaver (CVE-2019-0327), Missing Authorization check in ERP HCM (CVE-2019-0325), Information disclosure in NetWeaver (CVE-2019-0318), and Content Injection in Gateway (CVE-2019-0319).
(SecurityAffairs – SAP security, hacking)