SAP’s security patch day for February 2020 has seen the release of 15 SAP security notes.
11 OSS notes have been classified as medium, 3 OSS notes have been classified as high and 1 as critical, based on CVSS v3.0 Rating.
A total of 5 security notes this month relate to SAP Netweaver ABAP and 3 to SAP Netweaver Java stacks. Also 2 security notes have been found in the following products: Solman 7.2, S/4 Hana, SAP Landscape Management. In addition to that, there has been one vulnerability found in each of the following products: SAP Business Client, SAP Mobile Platform, Business Objects.
Vulnerabilities: February 2020 Highlights
Denial of Service (DOS) Vulnerability in SAP Host Agent (SAP Note 2841053)
An unauthenticated attacker can cause a denial of service of the SAP Host Agent authentication service by sending malicious requests. SAP Host Agent uses username/password-based authentication facilities provided by the operating system. Ways to protect against brute force authentication attacks include delaying failed authentication attempts, delegating authentication requests to a remote server and limiting the number of parallel authentication requests.
If your OS-based authentication uses any of those methods of attack prevention, it may slow down the processing of other username/password-based authentication requests which can lead to a delayed response. The recommended solution to this vulnerability is to restrict port access so that it is only available to the datacentre network.
[CVE-2020-6191] Missing Input Validation in SAP Landscape Management (SAP Note 2878030) & (SAP Note 2877968)
An attacker with admin privileges could execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management due to missing input validation. The note on this vulnerability states that this can be fixed by patching SAP Landscape Management and SAP Adaptive Extensions.
[CVE-2020-6192] Security updates for the browser control Google Chromium delivered with SAP Business Client (SAP Note 2622660)
SAP Business Client installer includes a packed release of Google Chrome (from release 6.5 PL5) that is the current stable version at the time of install. The note outlines that the version needs to be updated to the latest version to remove the risk of web page exploits.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.