SAP Security Notes Review: August 2020
SAP’s security patch day for August 2020 has seen the release of 15 OSS SAP security notes. 8 OSS notes have been classified as medium, 6 OSS notes has been classified as high and 1 as critical, based on CVSS v3.0 Rating.
3 OSS notes have been found this month for SAP NetWeaver AS ABAP plus 2 for SAP Fiori, SAP Business Objects and SAP Knowledge Management. Single notes have been released for SAP Banking Services, SAP Data Intelligence, SAP NetWeaver AS JAVA, SAP ASE, SAP Commerce and HCM Travel Management.
Vulnerabilities: August 2020 Highlights
[CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management) (SAP Note 2928635)
SAP NetWeaver Knowledge Management (KM) allows the automatic execution of script content in a stored file due to inadequate filtering with the accessing user’s privileges. If the accessing user has administrative privileges, then the execution of the script content could result in complete compromise of system confidentiality, integrity and availability.
[CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (SAP Note 2927956)
Xvfb of BI platform on Unix does not perform any authentication checks for functionalities that require user identity. If an attacker has access to internal network (LAN), they can connect to open ports and gain unauthenticated access to X server. An attacker can potentially gain access to the username and password of a user that is logged onto the remote host.
[CVE-2020-6298] Missing Authorization check in SAP Banking Services (Generic Market Data) (SAP Note 2939685)
An Unauthorized User can display protected Business Partner Generic Market Data (GMD) or to modify the related GMD data key figure values in SAP Banking Services, due to improper authorization check.
[CVE-2020-6296] Code Injection Vulnerability in SAP NetWeaver (ABAP) and ABAP Platform (SAP Note 2941667)
SAP NetWeaver (ABAP Server) and ABAP Platform allows a low privileged attacker to inject code by executing an ABAP report over the network. An attacker could so get access to data, overwrite arbitrary SAP programs including essential logon program and could thereby lead to a Denial of Service.
[CVE-2020-6309] Missing Authentication check in SAP NetWeaver AS JAVA (SAP Note 2941315)
SAP NetWeaver application exposes a web service which does not perform any authentication checks leading to complete denial of service.
[CVE-2020-6293] Unrestricted File Upload in SAP NetWeaver (Knowledge Management) (SAP Note 2938162)
SAP NetWeaver (Knowledge Management) allows an unauthenticated attacker to upload a file without requiring any user action. This will allow the attacker to access or modify or make unavailable existing files, but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.