SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent

SAP released 11 Security Notes as part of the Patch Day – July 2019, one of which was a Hot News Note addressing a critical flaw in Diagnostics Agent.

This month SAP released 11 Security Notes as part of the Patch Day – July 2019. One of them is a Hot News Note that addresses a critical vulnerability in Diagnostics Agent tracked as CVE-2019-0330.

The vulnerability is an OS command injection issue that could be exploited to fully compromise the SAP system, it received a CVSS score of 9.1.

The Diagnostics Agent is a central component of the SAP Solution Manager system landscape. It allows to manage monitoring and diagnostics events communications between every SAP system and Solution Manager that allows administrators to execute OS commands through a GAP_ADMIN transaction.

Each command is validated using a whitelist file that is present in the Diagnostic Agent installation directory. The CVE-2019-0330 flaw could be exploited by an attacker to bypass the validation process by sending a specially crafted payload.

“Using its basic functionality, a SolMan admin can execute OS commands through a GAP_ADMIN transaction, in order to perform analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory.” reads the analysis published by Onapsis. “This vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload. Using this technique the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access sensitive information (such as credentials and critical business information), changing application configurations or even stopping SAP services.”

Experts pointed out that the SDMAgent must be installed in every SAP system for diagnostic purposes, this means that the extent of the attack is broad and could affect the entire landscape.

SAP also released a High priority Security Note that addresses a code injection flaw, tracked as CVE-2019-0328, that affects the ABAP Tests Modules of NetWeaver Process Integration.

The CVE-2019-0328 vulnerability received a CVSS score of 8.7.

The flaw resides in the Extended Computer Aided Test Tool (eCATT), a tool used to cover automatic testing in SAP business processes.

July 2019 Patch Day updates also address other 9 Medium severity flaws: Denial of service in Commerce Cloud (CVE-2019-0322), XSS in OpenUI5 (CVE-2019-0281), XSS in Information Steward (CVE-2019-0329), XSS in ABAP (CVE-2019-0321), XSS in SAP BusinessObjects (CVE-2019-0326), Unrestricted File Upload in NetWeaver (CVE-2019-0327), Missing Authorization check in ERP HCM (CVE-2019-0325), Information disclosure in NetWeaver (CVE-2019-0318), and Content Injection in Gateway (CVE-2019-0319).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SAP security, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.