All Articles

First critical issue. Patch management flaws

In our previous articles we’ve already introduced you to the list of the 9 most important business application security critical issues. We’ve also had a chance to present to you the skeleton of our guideline with its 33 security assessment steps. As you’ve seen only the skeleton of it, now it’s high time to pay attention to a more detailed explanation of each step to be taken.

In order to insure full-scale system security it is crucial to regularly install security support packages. The number of support packages necessary for a system may be huge. Supporting this idea is the fact that the number of SAP Security Notes grew up to more than 3000 by the mid-2014. As some of you may know, each Sap Security Note serves to fix one or more vulnerability. About 50 Security Notes are issued monthly. Sometimes one can even find a SAP Security Note that was made based on the results of a third-party researcher’s work. Also, when it comes to prompt vulnerability elimination we should take into consideration all the possible consequences implementation of such utilities as Metasploit to get free access to corporate information can lead to. Given the above arguments, it is reasonable to conclude that to develop and establish a patch management process that would ensure the implementation of adequate preventive measures against potential threats is highly necessary at this stage. Let us now focus on the two major checks that must be in place to address the most critical problems.

(Read more:  APT Secrets that Vendors Don't Tell)

Further Steps.

To verify security of SAP components, particularly those of them that are installed separately from the application server you can use such services as SAP Router, SAP Webdispatcher, SAP GUI. Additionally, it’s convenient to use those systems that are linked to the NetWeaver ABAP application server, but operate on the basis of the NetWeaver J2EE or SAP BusinessObjects application servers. Their security is regulated by a separate document included in the EAS-SEC. It’s substantial that, a security patch should be checked for operating systems where SAP services are installed, as well as for DBMS that store SAP solution data.

[EASAI-NA-01] Check for components update (SAP Notes)

Description

The essence of the whole patching procedure is that a patch is designed to substitute outdated and vulnerable objects. There are two ways to fix a vulnerability: one can either implement the correction instructions from an SAP Note in the system, or have a Support Package installed. As a rule, initially a particular SAP Note (with appropriate correction instructions) is issued. After that, a Support Package is applied. The Support Package usually contains changed or new functionality with a set of correction instructions for a certain period of time.
As mentioned above, the number of support packages and SAP Notes required by the system may be huge. That's why the development of patch management process should also involve establishing a priority of patch installation. While determining the right priority one should consider the following factors:

• Threat severity,
• Threat probability,

• Required system privileges,

• Complexity of exploitation, and
• Public exploit availability.

WARNING! Sometimes vulnerability management processes can mix up. That is to say, vulnerabilities may be fixed with either a support package, or with the help of the SAP Notes. The matter is, they won’t synchronize. For instance, a vulnerability fixed with a support package would not be implemented as fixed via the SNOTE transaction to the SAP Notes list.

(Read more:  5 Security Trends from Defcon 2014 - The Largest Hacker Conference)

Threat

As soon as there appears a new security patch, newly identified vulnerabilities rather quickly become publicly available. To put it another way, anyone can gain access to their description. Accordingly, in case security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.

Solution

It is imperative to perform regular checks for security patches updates. To do that, one should strictly follow main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring).
 Using SAP Patch Manager (SPAM)offered by the SAP one can download and implement required support packages from theOnline Server System (OSS). Note that this is only related to versions 3.0 and higher. In order to start the SPAM, you should enter the command “SPAM” in the transaction code field.

Also, it’s possible to use the multi-purpose SAP Software Update Manager (SUM) to implement various system updates. The good news is that a demo version of this product is publicly available at the time [2]

To implement SAP Notes, use the SNOTE transaction to get a list of security notes required for a particular system. As mentioned above, these two mechanisms are not synchronized, so it is preferable to make some changes manually or with some additional third-party tools.

Before proceeding to our next security check let us make a small digression. The thing is we’ve decided to be proactive in terms of information security, thus in addition to major all-purpose checks, each item of our guideline contains a subsection called "Further steps". This subsection gives major instructions on how to further securely configure each particular item.

[EASAI-NA-02] Check for kernel updates

Description

We should keep in mind that in SAP system kernel there are executable files containing SAP Dispatcher, SAP Gateway, SAP Message Server, SAP Router and some other SAP services. For that reason, SAP system kernel has its own update mechanism that is different from other components. Kernel updates are released as service packs for a specific kernel type.

So as to clarify, support packages are cumulative. Therefore they include all the previous updates, even though sometimes releases contain updates for a certain support package only.

Threat

As soon as there appears a new security patch, newly identified vulnerabilities rather quickly become publicly available. To put it another way, anyone can gain access to their description. Accordingly, in case security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.

Kernel updates mostly fix highly critical vulnerabilities, as any system has a kernel. So, it’s crucial that kernel update should have highest priority and should be installed before other components.

Solution

It is imperative to perform regular checks for security patches updates. To do that one should strictly follow main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring).


In case you want to check out the current version of a service pack using SAP GUI you need to open the Status window in System tab and click on the Other kernel info button (Shift+F5 by default). There is always some information on the latest service pack version published on the SAP support portal

The SAP Note is usually downloaded as a system and executable files directory that replaces the previous files. Software Update Manager (SUM) utility is also available to facilitate the manual process a lot (ref. to the operating manual [4]).

That’s it for today’s article, we’ve checked out the first critical issue “patch management flows” and the two steps relating to it. We hope you like our work and share our urge to promote information security to a higher level.

(Read more: Technology/Solution Guide for Single Sign-On)