[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue: Transport Management System: Highway to Production
We are happy to announce a new issue of the Onapsis SAP Security In-Depth publication. SAP Security In-Depth is a free publication led by Onapsis Research Labs with the purpose of providing practical educational information about the current and future risks in this area, allowing all the different roles (financial managers, information security managers, SAP administrators, auditors, consultants and others) to better understand the complete set of risks their SAP systems can contain and the techniques and tools available to assess and mitigate those risks. In this edition: Transport Management System: Highway to Production, by Pablo Muller and Juan Perez-Etchegoyen. -- In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems. -- The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid08 We hope you enjoy this new issue! Kindest regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue: Preventing Cyber-Attacks Against SAP Solution Manager
Dear colleague, We are happy to announce a new issue of the Onapsis SAP Security In-Depth publication. SAP Security In-Depth is a free publication led by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this area, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and others) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: Preventing Cyber-Attacks Against SAP Solution Manager, by Nahuel Sanchez and Juan Perez-Etchegoyen. -- By design the SAP Solution Manager is connected to all SAP systems (i.e. ERP, CRM, BI, etc), making it a critical component of any SAP implementation: if successfully exploited by an attacker, all the satellite SAP environments, and therefore their business information, can be ultimately compromised. Despite its relevance, common IT security practices have traditionally overlooked this component, resulting in many insecure implementations. This issue presents key security concepts about the Solution Manager, introduces an in-depth analysis of critical cyber-threats affecting it and, more importantly, outlines a list of mitigation techniques and countermeasures to protect SAP Solution Manager implementations. By understanding and leveraging this information, SAP and Information Security professionals can increase the overall security level of their company's SAP platform, better protecting their organization's business-critical information. -- The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid07 We hope you enjoy this new issue! Kindest regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Research Labs] New Onapsis Bizploit release
Dear colleague, We’re happy to announce the release of a new version of Onapsis Bizploit - the open-source ERP Penetration Testing framework. Bizploit is a free command-line application to perform proof-of-concept penetration tests of the technical layer of SAP platforms. Nowadays, most organizations which use SAP are going beyond the simple definition of SAP roles and profiles. They have incorporated the technical layer of their SAP platform into their regular risk assessment processes, in order to address the increased threat of cyber-attacks to their business-critical systems. With Bizploit, you can perform basic analysis of some of the existing technical vulnerabilities affecting your SAP systems, which often pose critical risks to the integrity of the entire platform. Some new features in this new version (1.50-rc1): - New exploits for Management Console. - New modules for SAProuter. - New modules for remote execution of RFC Functions. - Module to detect the CTC Verb Tampering vulnerability. - Several bug fixes. You can download the new version from Onapsis’ web site at http://www.onapsis.com/bizploit We hope you enjoy it! We would love to get your feedback on how you are using Bizploit. Don't hesitate to write us at bizpl...@onapsis.com! Kindest regards, P.S: Follow us on Twitter (@onapsis) to stay updated on the latest SAP ERP security research! -- --- The Onapsis Research Labs Team Onapsis, Inc. Email: resea...@onapsis.com Tel: +1 (617) 342 7434 Web: www.onapsis.com Twitter: @onapsis --- signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue: Securing the Gate to the Kingdom: Auditing the SAProuter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear colleague, We are happy to announce a new issue of the Onapsis SAP Security In-Depth publication. SAP Security In-Depth is a free publication led by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this area, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and others) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: Securing the Gate to the Kingdom: Auditing the SAProuter, by Nahuel Sanchez. - -- The SAProuter is one of the most critical components of any SAP platform. Working as an application-level gateway, it is usually connected to untrusted networks and restricts access to the backend SAP systems. If not properly secured, remote attacks on an SAProuter implementation could result in malicious parties accessing the SAP platform and other systems in the organization's internal network. This issue provides an introduction to the SAProuter, followed by an analysis of security threats and obscure attack vectors on such components. Each of the described risks is presented with countermeasures and protection strategies, to effectively mitigate it and increase the protection of the organization's SAP platform against cyber-attacks. - -- The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid06 We hope you enjoy this new issue! Kindest regards, - -- - --- The Onapsis Research Labs Team Onapsis, Inc. Email: resea...@onapsis.com Tel: +1 (617) 342 7434 Web: www.onapsis.com Twitter: @onapsis - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBSZbEACgkQz3i6WNVBcDUE0gCfWCytYbdYh0HFVY0W0lMsw7Pv s94AoLfRWhUUAYqbuUXQ0RO8/9q9Uw3z =+8sj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue: Our Crown Jewels Online: Attacks on SAP Web Applications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear colleague, We are happy to announce a new issue of the Onapsis SAP Security In-Depth publication. SAP Security In-Depth is a free publication led by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this area, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and others) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: Our Crown Jewels Online: Attacks on SAP Web Applications, by Mariano Nunez. - -- SAP platforms are only accessible internally. While that was true in many organizations more than a decade ago, today, driven by modern business requirements, SAP systems are very often connected to the Internet. This scenario dramatically increases the universe of possible attackers, as malicious parties can remotely try to compromise the organization's SAP platform and perform espionage, sabotage and fraud attacks. SAP provides different Web technologies, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS), which may be prone to specific security risks. This issue analyzes possible attack vectors to SAP Web components and the measures that need to be taken in order to prevent them. This information will enable organizations to better protect their business-critical infrastructure against cyber-attacks performed over Web scenarios. - -- The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid05 This publication summarizes part of the research and presentations we have held regarding this topic over the last year at the major security conferences. We are also going to hold two free Webinars with *live demonstrations of the attack vectors described in the publication*, so don't hesitate to join us to go deeper in the technical aspects of these threats and better understand the associated business risks. * Tuesday, May 22, 2012 3:00 PM - 4:00 PM CEST - http://bit.ly/K3C30X * Wednesday, May 23, 2012 1:00 PM - 2:00 PM EDT - http://bit.ly/KMNWHZ We hope you enjoy this new issue! Kindest regards, - -- - --- The Onapsis Research Labs Team Onapsis, Inc. Email: resea...@onapsis.com Tel: +1 (650) 288-6696 Web: www.onapsis.com - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk+sUgkACgkQz3i6WNVBcDUf6gCfdp+VExrA8pNuGEL3ShtkNHT/ w20AmwbKp3/aFc0H3vgjRzjF8cb9x7kk =uI7h -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Security Advisory 2012-03] Oracle JD Edwards SawKernel Arbitrary File Read
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel Arbitrary File Read This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access arbitrary files hosted on the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-03 - --Onapsis SVS ID: ONAPSIS-00030 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3509 - --Initial Base CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-03 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global
[Full-disclosure] [Onapsis Security Advisory 2012-04] Oracle JD Edwards SawKernel GET_INI Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel GET_INI Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-04 - --Onapsis SVS ID: ONAPSIS-00033 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3524 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-04 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely retrieve data from the JDE.INI configuration FILE. This information includes password for database connection and configuration of node password for authentication tokens. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP
[Full-disclosure] [Onapsis Security Advisory 2012-05] Oracle JD Edwards JDENET Multiple Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Multiple Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access technical information of the ERP system This might result in the disclosure of technical information that might be useful in further attacks to the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-05 - --Onapsis SVS ID: ONAPSIS-00021 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2321 - --Initial Base CVSS v2: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-05 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration, such as: * Kernel Process ID. * Kernel processes. * Kernel processes information. * JDNET process information. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security Compliance Audits and Penetration
[Full-disclosure] [Onapsis Security Advisory 2012-06] Oracle JD Edwards JDENET Large Packets Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Large Packets Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might trigger a denial of service on the JDENET service. This would result in the unavailability of most of the ERP services. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-06 - --Onapsis SVS ID: ONAPSIS-00023 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2324 - --Initial Base CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: - --JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Denial of Service. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-06 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to autenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a message containing packets of a specific size is sent to the JDENET service, a Denial of service condition is triggered, because the kernel in charge of dispatching those packets uses all the available CPU time. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP ERP security experts who are continuously invited to lecture
[Full-disclosure] [Onapsis Security Advisory 2012-07] Oracle JD Edwards SawKernel SET_INI Configuration Modification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel SET_INI Configuration Modification This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-07 - --Onapsis SVS ID: ONAPSIS-00032 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3514 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: - --JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) Vulnerability Class: Configuration Modification. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-07 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely change the JDE.INI configuration file. This situation might help the attacker to perform complex attacks that would lead in a full compromise of the system. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP
[Full-disclosure] [Onapsis Security Advisory 2012-08] Oracle JD Edwards Security Kernel Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards Security Kernel Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to validate user credentials to access the ERP system. This would represent valuable information to perform more complex attack to the ERP system. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-08 - --Onapsis SVS ID: ONAPSIS-00027 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2326 - --Initial Base CVSS v2: 3.9 (AV:N/AC:L/Au:N/C:P/I:N/A:N/CDP:ND/TD:ND/CR:L/IR:ND/AR:ND) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-08 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), then it would be possible to validate arbitrary (USER, ROLE, ENVIRONMENT) tuples, in order to detect valid ones. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP ERP security
[Full-disclosure] [Onapsis Security Advisory 2012-01] Oracle JD Edwards JDENET Arbitrary File Write
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Arbitrary File Write This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-01 - --Onapsis SVS ID: ONAPSIS-00017 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2317 - --Initial Base CVSS v2: 9.7 (AV:N/AC:L/Au:N/C:P/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Arbitrary File Write. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-01 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a “Message packet” is sent to the JDENet port (6015 by default) containing a specially crafted “File Packet”, the sent file is saved in the server where the JDENet service is running, in the arbitrary location specified by the “File Packet”. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP ERP security
[Full-disclosure] [Onapsis Security Advisory 2012-02] Oracle JD Edwards Security Kernel Remote Password Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards Security Kernel Remote Password Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-02 - --Onapsis SVS ID: ONAPSIS-00026 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2325 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - -- Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-02 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to autenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the Security Kernel is enabled and SignonSecurity is configured, then it is possible to retrieve the password of arbitrary users. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline = * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP ERP security experts who
[Full-disclosure] [Onapsis Security Advisory 2011-016] SAP WebAS Malicious SAP Shortcut Generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-016: SAP WebAS Malicious SAP Shortcut Generation This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-016 - - Onapsis SVS ID: ONAPSIS-00041 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1556749 for detailed information on affected releases) - - Vulnerability Class: Abuse of designed functionality / Parameter Injection - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-016 4. Affected Components Description = The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). The SHORTCUT ICF service represents a dangerous functionality per-se, as it can be executed anonymously by malicious parties to perform client-side attacks to the organization's end-users. Furthermore, this service contains a parameter injection vulnerability, which provides attackers with further control over the generation of the SAP shortcuts. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 7. Report Timeline === * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-04-12: SAP releases sapnote 1556749 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration
[Full-disclosure] [Onapsis Security Advisory 2011-014] SAP WebAS Remote Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ?Onapsis Security Advisory 2011-014: SAP WebAS Remote Denial of Service 1. Impact on Business = By exploiting this vulnerability, an unauthenticated attacker would be able to remotely disrupt the SAP Application Server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes. Risk Level: High 2. Advisory Information === - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-014 - - Onapsis SVS ID: ONAPSIS-00039 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1553930 for detailed information on affected releases) - - Vulnerability Class: Abuse of designed functionality - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-014 4. Affected Components Description === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details = It was detected that the ?cachetest? service suffers from an input validation vulnerability. This interface can be abused by a malicious attacker to put the system under continuous, high-load conditions leading to a denial of service condition. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution SAP has released SAP Note 1553930 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1553930 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline * 2011-01-24: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-06-14: SAP releases SAP Note 1553930 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment, Security Support for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits. For further information about our solutions, please contact us at i...@onapsis.com and visit our website at www.onapsis.com. Copyright (c) 2011 Onapsis SRL. All rights reserved. This advisory may be distributed
[Full-disclosure] [Onapsis Security Advisory 2011-015] SAP WebAS webrfc Cross-Site Scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-015: SAP WebAS webrfc Cross-Site Scripting This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business === By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-015 - - Onapsis SVS ID: ONAPSIS-00040 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1536640 for detailed information on affected releases) - - Vulnerability Class: Cross-Site Scripting (XSS) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-015 4. Affected Components Description === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details == It has been detected that the WEBRFC ICF service suffers from an input validation vulnerability, which can be exploited to perform XSS attacks. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution = SAP has released SAP Note 1536640 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1536640 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-05-10: SAP releases SAP Note 1536640 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway
[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions
Dear colleague, We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth publication. Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: The Invoker Servlet: A Dangerous Detour into SAP Java Solutions, by Mariano Nuñez Di Croce and Jordan Santarsieri. SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can also deploy their own custom Java applications over these platforms. On December 2010, SAP released an important white-paper describing how to protect against common attacks to these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms. This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber attacks. The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid04 We hope you enjoy this new issue! Kindest regards, P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and chat with us at our Booth #706! -- The Onapsis Research Labs Team Onapsis S.R.L Email: resea...@onapsis.com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Security Advisory 2011-003] SAP WebAS ITS Mobile Start Service Multiple Vulnerabilities
Onapsis Security Advisory 2011-003: SAP WebAS ITS Mobile Start Service Multiple Vulnerabilities This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. - Risk Level: Medium 2. Advisory Information === - Public Release Date: 2011-04-19 - Subscriber Notification Date: 2011-04-14 - Last Revised: 2011-04-14 - Security Advisory ID: ONAPSIS-2011-003 - Onapsis SVS ID: ONAPSIS-00035 - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - Vendor: SAP - Affected Components: . SAP BASIS 640 . SAP BASIS 700-702 . SAP BASIS 710-730 (Check SAP Note 1512134 for detailed information on affected releases) - Vulnerability Class: Cross-Site Scripting / Open Redirect - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Detection Module available in Onapsis X1: Yes - BizRisk Illustration Module available in Onapsis X1: Yes - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-003 4. Affected Components Description == The SAP Web Application Server (WebAS) is the application platform of the SAP NetWeaver, which is the basis for the other NetWeaver components. With the SAP Web Application Server you can implement both server-based and client-based Web applications. 5. Vulnerability Details It has been detected that the ITS Mobile Start service suffers from input validation vulnerabilities and design weaknesses, which can be exploited to perform XSS and arbitrary redirects attacks. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1512134 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1512134. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-22: Onapsis provides vulnerability information to SAP. . 2010-09-23: SAP confirms reception of vulnerability submission. . 2011-01-11: SAP releases security patches. . 2011-04-14: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2011-04-19: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide
[Full-disclosure] [Onapsis Security Advisory 2011-004] SAP WebAS ITS Mobile Test Service Multiple Vulnerabilities
Onapsis Security Advisory 2011-004: SAP WebAS ITS Mobile Test Service Multiple Vulnerabilities This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. - Risk Level: Medium 2. Advisory Information === - Public Release Date: 2011-04-19 - Subscriber Notification Date: 2011-04-14 - Last Revised: 2011-04-14 - Security Advisory ID: ONAPSIS-2011-004 - Onapsis SVS ID: ONAPSIS-00036 - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - Vendor: SAP - Affected Components: . SAP BASIS 640 . SAP BASIS 700-702 . SAP BASIS 710-730 (Check SAP Note 1512134 for detailed information on affected releases) - Vulnerability Class: Cross-Site Scripting / Open Redirect - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Detection Module available in Onapsis X1: Yes - BizRisk Illustration Module available in Onapsis X1: Yes - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-004 4. Affected Components Description == The SAP Web Application Server (WebAS) is the application platform of the SAP NetWeaver, which is the basis for the other NetWeaver components. With the SAP Web Application Server you can implement both server-based and client-based Web applications. 5. Vulnerability Details It has been detected that the ITS Mobile Test service suffers from input validation vulnerabilities and design weaknesses, which can be exploited to perform XSS and arbitrary redirects attacks. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1512134 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1512134. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-22: Onapsis provides vulnerability information to SAP. . 2010-09-23: SAP confirms reception of vulnerability submission. . 2011-01-11: SAP releases security patches. . 2011-04-14: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2011-04-19: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide
[Full-disclosure] [Onapsis Security Advisory 2011-005] SAP Enterprise Portal Path Disclosure
Onapsis Security Advisory 2011-005: SAP Enterprise Portal Path Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to obtain sensitive technical information from a vulnerable SAP Enterprise Portal system, which can be highly useful in the next phases of his attacks. - Risk Level: Low 2. Advisory Information === - Public Release Date: 2011-04-19 - Subscriber Notification Date: 2011-04-14 - Last Revised: 2011-04-14 - Security Advisory ID: ONAPSIS-2011-005 - Onapsis SVS ID: ONAPSIS-00038 - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - Vendor: SAP - Affected Components: . EPBC2 7.00-7.02 . EP-PSERV 6.0_640 . EP-BASIS 7.10-7.11 . EP-BASIS 7.20 . EP-BASIS 7.31 (Check SAP Note 1513182 for detailed information on affected releases) - Vulnerability Class: Path Disclosure - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Detection Module available in Onapsis X1: Yes - BizRisk Illustration Module available in Onapsis X1: Yes - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-005 4. Affected Components Description == According to the vendor, SAP Enterprise Portal offers a single point of access to SAP and non-SAP information sources, enterprise applications, information repositories, databases, and services inside and outside your organization - all integrated in a single user experience. 5. Vulnerability Details It has been detected that the Enterprise Portal runtime presents descriptive error messages when special HTTP requests are processed, returning information about the filesystem structure were the component is deployed in the target system. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1513182 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1513182. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-22: Onapsis provides vulnerability information to SAP. . 2010-09-23: SAP confirms reception of vulnerability submission. . 2011-01-11: SAP releases security patches. . 2011-04-14: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2011-04-19: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star
[Full-disclosure] [Onapsis Security Advisory 2011-006] Oracle JD Edwards JDENET Kernel Denial of Service
Onapsis Security Advisory 2011-006: Oracle JD Edwards JDENET Kernel Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an unauthenticated attacker would be able to remotely block certain functions of the JD Edwards server. This would result in the unavailability of certain services running in the JD Edwards server. These services are not critical for the common operation of the system. - Risk Level: Low 2. Advisory Information === - Release Date: 2011-04-27 - Last Revised: 2011-04-27 - Security Advisory ID: ONAPSIS-2011-06 - Onapsis SVS ID: ONAPSIS-00019 - Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information - Vendor: ORACLE - Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 (older versions might be also affected) - Vulnerability Class: Denial of service - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-06 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details If a certain type of message, containing a specially-crafted Unicode data packet, is sent to the JDENET Service, the JDENET Kernel executes a system call, using a user-provided value as the time parameter. This causes the service to stop responding for a period of time. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them
[Full-disclosure] [Onapsis Security Advisory 2011-007] Oracle JD Edwards JDENET Kernel Shutdown
Onapsis Security Advisory 2011-007: Oracle JD Edwards JDENET Kernel Shutdown This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an unauthenticated attacker would be able to remotely shutdown the JD Edwards server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes. -- Risk Level: High 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-07 -- Onapsis SVS ID: ONAPSIS-00020 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Denial of service -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-07 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details If a specially-crafted message is sent to the JDENET Service, the JDENET Kernel performs a shutdown of the service. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise
[Full-disclosure] [Onapsis Security Advisory 2011-009] Oracle JD Edwards JDENET SawKernel Remote Password Disclosure
Onapsis Security Advisory 2011-009: Oracle JD Edwards JDENET SawKernel Remote Password Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to obtain valid access credentials and access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. -- Risk Level: High 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-09 -- Onapsis SVS ID: ONAPSIS-00031 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Information Disclosure -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-09 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details It is possible for a remote and unauthenticated attacker to retrieve passwords of users that are allowed to login to the SAW Kernel (System Administration Workbench Kernel) in default installations of JD Edwards EnterpriseOne servers. As SAW users are allowed to, among other things, remotely execute commands on the server, the exploitation of this vulnerability leads to a full compromise of the server. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform
[Full-disclosure] [Onapsis Security Advisory 2011-010] Oracle JD Edwards JDENET Remote Logging Deactivation
Onapsis Security Advisory 2011-010: Oracle JD Edwards JDENET Remote Logging Deactivation This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker would be able to disable logging capabilities in the JD Edwards server. This could result in malicious activities becoming untraceable on the ERP Server. -- Risk Level: Medium 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-10 -- Onapsis SVS ID: ONAPSIS-00025 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Unauthenticated functionality -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-10 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details Several ways remotelly deactivate the kernel processes logging have been detected. If specifically crafted messages are sent to the JDENET Service, the JDENET Kernel wil stop logging for the kernel processes activities. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our
[Full-disclosure] [Onapsis Security Advisory 2011-011] Oracle JD Edwards JDENET Buffer Overflow
Onapsis Security Advisory 2011-011: Oracle JD Edwards JDENET Buffer Overflow This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. -- Risk Level: High 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-11 -- Onapsis SVS ID: ONAPSIS-00018 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Memory corruption -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-11 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details If a packet of a specific size is sent to the JDENet Service, a heap based buffer overflow condition is raised. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment
[Full-disclosure] [Onapsis Security Advisory 2011-012] Oracle JD Edwards JDENET Firewall Bypass
Onapsis Security Advisory 2011-012: Oracle JD Edwards JDENET Firewall Bypass This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated might be able to connect to the ERP system, bypassing weak network firewall configurations. This might result in obtaining remote access to the ERP system, even though this access was supposed to be restricted to internal networks. -- Risk Level: Low 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-12 -- Onapsis SVS ID: ONAPSIS-00024 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Abuse of designed functionality -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-12 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details If a specially-crafted UDP packet is sent to the JDENet port, the JDENET service creates a TCP connection to the provided IP and PORT parameters. This connection could be used to access the JDENET and all ERP functionallity provided through that callback connection. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce
[Full-disclosure] [Onapsis Security Advisory 2011-013] Oracle JD Edwards JDENET USRBROADCAST Denial of Service
Onapsis Security Advisory 2011-013: Oracle JD Edwards JDENET USRBROADCAST Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an unauthenticated attacker would be able to remotely disrupt the JD Edwards server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes. -- Risk Level: High 2. Advisory Information === -- Release Date: 2011-04-27 -- Last Revised: 2011-04-27 -- Security Advisory ID: ONAPSIS-2011-13 -- Onapsis SVS ID: ONAPSIS-00022 -- Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information -- Vendor: ORACLE -- Affected Components: * JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) -- Vulnerability Class: Memory corruption -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-13 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to-server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JD Edwards environment. 5. Vulnerability Details If a specially crafted packet is sent to the JDENet service, and access violation is raised. As the process fails to process this exception, this results in a crash that would render the system unavailable. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update April – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2011-04-19: Oracle releases fixes in CPU. * 2011-04-27: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the ERP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs
[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue and Tool - The Silent Threat: SAP Backdoors and Rootkits
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear colleague, We are happy to announce the third issue of the Onapsis SAP Security In-Depth publication. Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: The Silent Threat: SAP Backdoors and Rootkits, by Mariano Nuñez Di Croce. Backdoors and rootkits have existed for a long time. From PCI cards to the most modern operating systems, almost every system is susceptible of being attacked and modified to hold a malicious program that will secure future access for the attacker and even perform unauthorized activities, while trying to remain undetected. As SAP business solutions run the most critical business information and processes in the organization, a backdoor in this platform would imply severe impacts for the business. If the organization is not securing its systems properly, it would be possible for a remote, anonymous attacker to perform continuous espionage, fraud and sabotage attacks through the injection of a backdoor or rootkit in the SAP platform. This publication analyzes some of the different attack vectors that malicious parties can use to try to inject backdoors and rootkits in the SAP platform, in order to understand which are the necessary protection measures that need to be implemented to protect the business crown jewels. The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid03 At the same time, we have released a new free tool: Onapsis Integrity Analyzer for SAP. This proof-of-concept will help you identify future unauthorized modifications of standard ABAP programs in your SAP systems, which could be the result of backdoor or rootkit attacks. The tool can be downloaded from http://www.onapsis.com/ianalyzer We hope you can enjoy these new resources! We would also love to get your feedback. Feel free to write us back with your comments and ideas. Kindest regards, - -- - The Onapsis Research Labs Team Onapsis S.R.L Email: resea...@onapsis.com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk137zQACgkQz3i6WNVBcDV0RACdHgigAxhnix2h31TYRI7jpEAH wDMAn2k6iiVK92RlVmkwcDGB5d2VCE8j =oPVY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Security Advisory 2011-001] SAP Management Console Unauthenticated Service Restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-001: SAP Management Console Unauthenticated Service Restart This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an anonymous internal or external attacker would be able remotely disrupt the main management interface of the Organization's SAP systems. This would result in the impossibility of performing remote maintenance of the SAP landscape, as the attacker can repeatedly restart the service and prevent administrators from using it. - - Risk Level: High 2. Advisory Information === - - Public Release Date: 2011-01-12 - - Subscriber Notification Date: 2011-01-04 - - Last Revised: 2011-01-04 - - Security Advisory ID: ONAPSIS-2011-001 - - Onapsis SVS ID: ONAPSIS-00011 - - Researcher: Jordan Santarsieri 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP KERNEL RELEASE 6.40 . SAP KERNEL RELEASE 7.00 . SAP KERNEL RELEASE 7.01 . SAP KERNEL RELEASE 7.10 . SAP KERNEL RELEASE 7.11 . SAP KERNEL RELEASE 7.20 (Check SAP Note 1439348 for detailed information on affected releases) - - Vulnerability Class: Denial of Service - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Detection Module available in Onapsis X1: Yes - - BizRisk Illustration Module available in Onapsis X1: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-001 4. Affected Components Description == The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows users to monitor and perform basic administration tasks on the SAP system centrally, thus simplifying system administration. Through this component, administrators can start, stop and restart instances, monitor system alerts, display log and trace files, etc. This service is enabled by default in every SAP system. 5. Vulnerability Details A Denial of Service vulnerability has been discovered in the processing of administration commands by the SAP MC. This functionality allows the restart of the service without providing authentication information. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1439348 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1439348. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-12-17: Onapsis provides vulnerability information to SAP. . 2009-12-18: SAP confirms reception of vulnerability submission. . 2010-12-14: SAP releases security patches. . 2011-01-04: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2011-01-12: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively
[Full-disclosure] [Onapsis Security Advisory 2011-002] SAP Management Console Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-002: SAP Management Console Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = Abusing this functionality, a remote and unauthenticated attacker would be able to gain sensitive information from an SAP System. This information would help him in the process of compromising the security of the SAP server through more advanced attacks. - - Risk Level: Medium 2. Advisory Information === - - Public Release Date: 2011-01-12 - - Subscriber Notification Date: 2011-01-04 - - Last Revised: 2011-01-04 - - Security Advisory ID: ONAPSIS-2011-001 - - Onapsis SVS ID: ONAPSIS-00012 - - Researcher: Jordan Santarsieri 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP KERNEL RELEASE 6.40 . SAP KERNEL RELEASE 7.00 . SAP KERNEL RELEASE 7.01 . SAP KERNEL RELEASE 7.10 . SAP KERNEL RELEASE 7.11 . SAP KERNEL RELEASE 7.20 (Check SAP Note 1439348 for detailed information on affected releases) - - Vulnerability Class: Information Disclosure - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: No - - Detection Module available in Onapsis X1: Yes - - BizRisk Illustration Module available in Onapsis X1: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-002 4. Affected Components Description == The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows users to monitor and perform basic administration tasks on the SAP system centrally, thus simplifying system administration. Through this component, administrators can start, stop and restart instances, monitor system alerts, display log and trace files, etc. This service is enabled by default in every SAP system. 5. Vulnerability Details It has been detected that many of the available methods in the sapstartsrv SOAP server do not require user authentication, allowing remote and unauthenticated users to obtain sensitive information from the SAP system, such as the list of log files and their content, profile parameters, developer traces, etc. Furthermore, some of the unauthenticated methods perform security sensitive operations that may impact over the integrity, confidentiality and/or availability of the SAP system. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1439348 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1439348. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-12-17: Onapsis provides vulnerability information to SAP. . 2009-12-18: SAP confirms reception of vulnerability submission. . 2010-12-14: SAP releases security patches. . 2011-01-04: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2011-01-12: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions
[Full-disclosure] [Onapsis Security Advisory 2010-008] Oracle Virtual Server Agent Arbitrary File Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-0008 : Oracle Virtual Server Agent Arbitrary File Access This advisory can be downloaded in PDF format from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server. - Risk Level: (High) 2. Advisory Information === - Release Date: 2010-11-02 - Last Revised: 2010-11-02 - Security Advisory ID: ONAPSIS-2010-008 - Onapss SVS ID: ONAPSIS-00013 - Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information - Vendor: ORACLE - Affected Components: * Oracle Virtual Server Agent 2.3 - Vulnerability Class: Arbitrary file access. - Remotely Exploitable: Yes - Locally Exploitable: Yes - Authentication Required: Yes - CVE: CVE-2010-3585 - Initial Base CVSS v2: 9 (AV:N/AC:L/AU:S/C:C/I:C/A:C) - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-008 4. Affected Components Description == Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM. Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server. By default, Oracle VM Agent is executed, with a highly privileged user, typically root. 5. Vulnerability Details = Oracle VM Agent exposes several functions through XML-RPC. The use of some of these functions (executed as a highly privileged user, or root), can lead to an arbitrary file access which is not a valid function of the agent. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch Update October – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-20: Onapsis provides vulnerability information to Oracle. . 2010-09-21: Oracle confirms reception of vulnerability submission. . 2010-09-24: Oracle states vulnerability is under investigation. . 2010-10-07: Oracle confirms vulnerability. . 2010-10-12: Oracle releases fixes in CPU. . 2010-11-02: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit - the Onapsis Research Labs - has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security
[Full-disclosure] [Onapsis Security Advisory 2010-009] Oracle Virtual Server Agent Remote Command Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-0009 : Oracle Virtual Server Agent Remote Command Execution This advisory can be downloaded in PDF format from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server. - Risk Level: (High) 2. Advisory Information === - Release Date: 2010-11-02 - Last Revised: 2010-11-02 - Security Advisory ID: ONAPSIS-2010-009 - Onapsis SVS ID: ONAPSIS-00014 - Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information - Vendor: ORACLE - Affected Components: * Oracle Virtual Server Agent 2.3 - Vulnerability Class: Remote command execution - Remotely Exploitable: Yes - Locally Exploitable: Yes - Authentication Required: Yes - CVE: CVE-2010-3583 - Initial Base CVSS v2: 9 (AV:N/AC:L/AU:S/C:C/I:C/A:C) - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-009 4. Affected Components Description == Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM. Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server. By default, Oracle VM Agent is executed, with a highly privileged user, typically root. 5. Vulnerability Details Oracle VM Agent exposes several functions through XML-RPC. One of these functions contains a vulnerability that can be exploited to execute arbitrary operating system commands over the target server. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch Update October – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-20: Onapsis provides vulnerability information to Oracle. . 2010-09-21: Oracle confirms reception of vulnerability submission. . 2010-09-24: Oracle states vulnerability is under investigation. . 2010-10-07: Oracle confirms vulnerability. . 2010-10-12: Oracle releases fixes in CPU. . 2010-11-02: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit - the Onapsis Research Labs - has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core
[Full-disclosure] [Onapsis Security Advisory 2010-010] Oracle Virtual Server Agent Local Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-0010: Oracle Virtual Server Agent Local Privilege Escalation This advisory can be downloaded in PDF format from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a local authenticated attacker would be able to access the OVS agent and manage all virtual machines configured on the OVS server. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server. - Risk Level: (Medium) 2. Advisory Information === - Release Date: 2010-11-02 - Last Revised: 2010-11-02 - Security Advisory ID: ONAPSIS-2010-010 - Onapsis SVS ID: ONAPSIS-00015 - Researcher: Juan Pablo Perez Etchegoyen 3. Vulnerability Information - Vendor: ORACLE - Affected Components: * Oracle Virtual Server Agent 2.3 - Vulnerability Class: Local privilege escalation - Remotely Exploitable: No - Locally Exploitable: Yes - Authentication Required: Yes - CVE: CVE-2010-3584 - Initial Base CVSS v2: 4.3 (AV:L/AC:L/AU:S/C:P/I:P/A:P) - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-010 4. Affected Components Description == Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM. Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server. By default, Oracle VM Agent is executed, with a highly privileged user, typically root. 5. Vulnerability Details Oracle VM Agent stores user authentication data in files with weak permissions. This can be abused by a non privileged user to access cleartext passwords and password hashes, leading to a privilege escalation attack. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch Update October – 2010. More information available on http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == . 2010-09-20: Onapsis provides vulnerability information to Oracle. . 2010-09-21: Oracle confirms reception of vulnerability submission. . 2010-09-24: Oracle states vulnerability is under investigation. . 2010-10-07: Oracle confirms vulnerability. . 2010-10-12: Oracle releases fixes in CPU. . 2010-11-02: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit - the Onapsis Research Labs - has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase
[Full-disclosure] [Onapsis Security Advisory 2010-007] SAP Management Console Multiple Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-007: SAP Management Console Multiple Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an unauthenticated internal or external attacker would be able remotely disrupt the main management interface of the Organization's SAP systems. This would result in the impossibility of performing remote maintenance of the SAP landscape, forcing administrators to invest effort into restoring the system to its original state. - - Risk Level: High 2. Advisory Information === - - Public Release Date: 2010-09-29 - - Subscriber Notification Date: 2010-09-22 - - Last Revised: 2010-09-22 - - Security Advisory ID: ONAPSIS-2010-007 - - Onapsis SVS ID: ONAPSIS-8, ONAPSIS-9 - - Researcher: Jordan Santarsieri 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP KERNEL RELEASE 6.40 . SAP KERNEL RELEASE 7.00 . SAP KERNEL RELEASE 7.10 (Check SAP Notes 1469804 and 1151410 for detailed information on affected releases) - - Vulnerability Class: Null-pointer dereference - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: No - - Module Available in Onapsis X1: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-007 4. Affected Components Description == The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows users to monitor and perform basic administration tasks on the SAP system centrally, thus simplifying system administration. Through this component, administrators can start, stop and restart instances, monitor system alerts, display log and trace files, etc. This service is enabled by default in every SAP system. 5. Vulnerability Details The SAP MC component fails to process malformed requests, resulting in a Denial of Service condition due to the fact that the affected service is crashed. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Notes 1469804 and 1151410, which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1469804 and https://service.sap.com/sap/support/notes/1151410 Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-12-17: Onapsis provides vulnerability information to SAP. . 2009-12-18: SAP confirms reception of vulnerability submission. . 2010-08-17: SAP states that one of the reported issues has already been fixed in note 1151410. The other issue will be fixed through note 1469804. . 2010-09-14: SAP releases security patches. . 2010-09-22: Onapsis notifies availability of security advisory to Onapsis Subscribers. . 2010-09-29: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit - the Onapsis Research Labs - has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products
[Full-disclosure] [Onapsis Security Advisory 2010-006] SAP J2EE Web Services Navigator Cross-Site Scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-006: SAP J2EE Web Services Navigator Cross-Site Scripting This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. - - Risk Level: Medium 2. Advisory Information === - - Release Date: 2010-07-13 - - Last Revised: 2010-07-13 - - Security Advisory ID: ONAPSIS-2010-006 - - Onapsis SVS ID: ONAPSIS-2 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP_JTECHS 6 (6.40) . SAP_JTECHS 7 (7.00) (Check SAP Note 1169248 for detailed information on affected releases) - - Vulnerability Class: Cross-Site Scripting - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-006 4. Affected Components Description == The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP landscapes. The J2EE Engine is the component on which, for example, the SAP Enterprise Portal solution is built and executed. 5. Vulnerability Details The J2EE Engine contains a Web Services Navigator interface, which enables the interaction with the deployed Web Services in the server. This interface suffers from a Cross-Site Scripting vulnerability, which may enable malicious parties to perform different kind of attacks over SAP users. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1169248, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1169248 Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2010-05-17: SAP states that the vulnerability has been successfully patched through SAP Security Note 1169248. SAP states that Security Note 1372831 provides additional (cosmetic) changes to the Web Service interface. . 2010-07-13: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune
[Full-disclosure] [Onapsis Security Advisory 2010-005] SAP J2EE Telnet Administration Security Check Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-005: SAP J2EE Telnet Administration Security Check Bypass This advisory can be downloaded in PDF format from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to retrieve sensitive technical information from the SAP J2EE system. This information can be used to replay authentication credentials and perform sensitive operations over the SAP landscape, possibly taking remote control of the affected systems. - - Risk Level: Medium 2. Advisory Information === - - Release Date: 2010-06-16 - - Last Revised: 2010-06-16 - - Security Advisory ID: ONAPSIS-2010-005 - - Onapsis SVS ID: ONAPSIS-3 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP-JEECOR 6.40 . SAP-JEECOR 7.00 . SAP-JEECOR 7.01 . SAP-JEECOR 7.02 . SERVERCORE 7.10 . SERVERCORE 7.11 . SERVERCORE 7.20 . SERVERCORE 7.30 (Check SAP Note 1425847 for detailed information on affected releases) - - Vulnerability Class: SMB Relay - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2010-005 4. Affected Components Description == The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP landscapes. The J2EE Engine is the component on which, for example, the SAP Enterprise Portal solution is built and executed. 5. Vulnerability Details The J2EE Engine contains a Telnet interface, which enables the administration of certain components of the SAP J2EE instances. Due to an error in the validation of command arguments, it is possible to bypass certain security restrictions and perform SMB relay attacks against the system. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1425847, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1425847 Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2010-05-12: SAP releases security patch. . 2010-06-16: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP and business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies
[Full-disclosure] Onapsis Research Labs: Onapsis Bizploit - The opensource ERP Penetration Testing framework
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear colleague, We are proud to announce the release of Onapsis Bizploit, the first opensource ERP Penetration Testing framework. Presented at the renowned HITB Dubai security conference, Bizploit is expected to provide the security community with a basic framework to support the discovery, exploration, vulnerability assessment and exploitation of ERP systems. The term ERP Security has been so far understood by most of the IT Security and Auditing industries as a synonym of “Segregation of Duties”. While this aspect is absolutely important for the overall security of the Organization's core business platforms, there are many other threats that are still overlooked and imply much higher levels of risk. Onapsis Bizploit is designed as an academic proof-of-concept that will help the general community to illustrate and understand this kind of risks. Currently Onapsis Bizploit provides all the features available in the sapyto GPL project, plus several new plugins and connectors focused in the security of SAP business platforms. Updates for other popular ERPs are to be released in the short term. Your can download the software freely from http://www.onapsis.com Best regards, - The Onapsis Research Labs Team Onapsis S.R.L Email: resea...@onapsis.com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkwFGLQACgkQz3i6WNVBcDVp7wCgktzu7vYVXTBnE9DM5GPYAnGx OjAAn0uVawK36FZMP9DFYye3XX56CN1v =80ir -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Onapsis Research Labs: SAP Security In-Depth Vol. II
Dear colleague, We would like to announce the second release of the Onapsis' SAP Security In-Depth publication. SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: SAP Knowledge Management - The risks of sharing, by Jordan Santarsieri. SAP Knowledge Management (SAP KM) is a central component of SAP Enterprise Portal, enabling the sharing of information extracted from different data sources of the Organization in a single access point. Employees, customers, vendors and business partners use this platform to interact with the data provided by the company in order to suit their different business requirements. This business information, available in SAP KM, can be highly sensitive and its non-authorized access and/or manipulation imply high risks for any company. Our experience in this field indicates that due of the lack of proper access-control implementations, combined with default and permissive policies, many organizations can be exposing sensitive information through SAP Enterprise Portal to non-authorized parties. This volume analyses in detail some of the risks that affect the security of SAP Knowledge Management and presents possible solutions in order to mitigate them, allowing you to increase the security level of your SAP Enterprise Portal installation. The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid02 Best regards, The Onapsis Research Labs Team Onapsis S.R.L Email: resea...@onapsis.com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Security Advisory 2010-002] SAP J2EE Engine MDB Path Traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-002: SAP J2EE Engine MDB Path Traversal This advisory can be downloaded from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to access arbitrary files located in the SAP Server file-system. With this access, he would be able to obtain sensitive technical and business related information stored in the vulnerable SAP system. - - Risk Level: Medium 2. Advisory Information === - - Release Date: 2010-02-10 - - Last Revised: 2010-02-10 - - Security Advisory ID: ONAPSIS-2010-002 - - Onapsis SVS ID: ONAPSIS-01 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP J2EE Engine 7.00 SP9 . Other versions may be affected - - Vulnerability Class: Path Traversal - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: Yes 4. Affected Components Description == The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP landscapes. The J2EE Engine is shipped with several example applications, which can be accesed through a Web interface. 5. Vulnerability Details The Message-Driven Bean Example application suffers from a path traversal vulnerability, which may enable remote attackers to access sensitive files in the server filesystem. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1421523, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1421523 . Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2010-02-09: SAP releases security patch. . 2010-02-10: Onapsis releases security advisory. 8. About Onapsis Research Labs == Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. 9. About Onapsis Onapsis is the leading provider of solutions for the security of business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment, Security Support for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits. For further information about our solutions, please contact us at i...@onapsis.com and visit our website at www.onapsis.com. -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt0ErsACgkQz3i6WNVBcDUTdACghy5RuzE+e3MOb8WDnmESUG2y gP8AoJpIyWoKONuO9nO5DA2sgh4e04kz =PRQX -END PGP
[Full-disclosure] [Onapsis Security Advisory 2010-004] SAP J2EE Authentication Phishing Vector
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-004: SAP J2EE Authentication Phishing Vector This advisory can be downloaded from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. An attacker would send specially crafted emails to users of the Organization's SAP system. After they have been successfully authenticated by the application, they would be redirected to an attacker's controlled web site where he would be able to perform different attacks over their systems and/or trick them into providing sensitive information. - - Risk Level: Medium 2. Advisory Information === - - Release Date: 2010-02-10 - - Last Revised: 2010-02-10 - - Security Advisory ID: ONAPSIS-2010-004 - - Onapsis SVS ID: ONAPSIS-05 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP JAVA CORE 6.40 SP26 . SAP JAVA CORE 7.00 SP02 . SAP JAVA CORE 7.01 SP07 . SAP JAVA CORE 7.02 SP03 - - Vulnerability Class: Phishing Vector - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: No 4. Affected Components Description == The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP landscapes. The J2EE Engine is the component on which, for example, the SAP Enterprise Portal solution is built and executed. 5. Vulnerability Details The Authentication mechanism of the SAP J2EE Engine (which is shared by the Enterprise Portal and other solutions) suffers from a phishing vector vulnerability, which may allow a remote attacker to perform different attacks to the organization's SAP users. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1175239, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1175239 . Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2010-02-09: SAP releases security patch. . 2010-02-10: Onapsis releases security advisory. 8. About Onapsis Research Labs == Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. 9. About Onapsis Onapsis is the leading provider of solutions for the security of business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment, Security Support for SAP Implementations and Upgrades, SAP System
[Full-disclosure] [Onapsis Security Advisory 2010-003] SAP WebDynpro Runtime XSS/CSS Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-003: SAP WebDynpro Runtime XSS/CSS Injection This advisory can be downloaded from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. - - Risk Level: Medium 2. Advisory Information === - - Release Date: 2010-02-10 - - Last Revised: 2010-02-10 - - Security Advisory ID: ONAPSIS-2010-003 - - Onapsis SVS ID: ONAPSIS-04 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP NetWeaver 2004 SP21 . SAP NetWeaver 2004s SP13 - - Vulnerability Class: HTML Code Injection - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: No 4. Affected Components Description == Web Dynpro is a client-independent programming model of the SAP NetWeaver technology platform for developing user interfaces for professional business applications. It is based on the Model View Controller (MVC) paradigm which ensures that the business logic is separated from the presentation logic. The SAP Enterprise Portal and Web Dynpro for Java are the strategic user interface technologies of SAP and are based on the SAP Web Application Server (WebAS) Java. 5. Vulnerability Details The WebDynpro Runtime suffers from a Cross-Site Scripting / CSS Injection vulnerability, which may enable remote attacks to perform different kind of attacks over SAP users. Onapsis is not distributing technical details about this issue to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1424863, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1424863 . Onapsis strongly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2010-02-09: SAP releases security patch. . 2010-02-10: Onapsis releases security advisory. 8. About Onapsis Research Labs == Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. 9. About Onapsis Onapsis is the leading provider of solutions for the security of business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment, Security Support for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits. For further information about
[Full-disclosure] [Onapsis Security Advisory 2010-001] SAP WebAS Integrated ITS Remote Command Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-001: SAP WebAS Integrated ITS Remote Command Execution This advisory can be downloaded from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able execute arbitrary remote commands over vulnerable SAP Web Application Servers, taking complete control of the SAP system. With these privileges, he would be able to obtain, create, modify and/or delete any business related information stored in the vulnerable SAP system. - - Risk Level: High 2. Advisory Information === - - Release Date: 2010-01-19 - - Last Revised: 2010-01-19 - - Security Advisory ID: ONAPSIS-2010-001 - - Onapsis SVS ID: ONAPSIS-06 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP Kernel 6.40 Patch Level 312 . SAP Kernel 7.00 Patch Level 235 . SAP Kernel 7.01 Patch Level 72 - - Vulnerability Class: Buffer Overflow - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: Yes 4. Affected Components Description == The SAP Web Application Server (WebAS) is the application platform of the SAP NetWeaver, which is the basis for the other NetWeaver components. With the SAP Web Application Server you can implement both server-based and client-based Web applications. As of SAP NetWeaver 04, the ITS is now integrated into the SAP NetWeaver component SAP Web Application Server as an Internet Communication Framework (ICF) service, which can, like other services, be accessed through the Internet Communication Manager (ICM). With the SAP Web Application Server with integrated ITS functionality, the Web browser communicates directly with the SAP system. The integrated ITS is widely used among SAP implementations, being the Webgui service one of the most common services. This service provides access to the SAP system through a SAPGUI HTML interface, enabling end-users to access the server through a regular Internet browser. 5. Vulnerability Details Due to the significant risk of this vulnerability to critical business solutions, Onapsis is not distributing technical details about it to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1414112, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1414112. Onapsis highly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2009-12-12: SAP releases security patch. . 2010-01-14: Onapsis coordinates release of security advisory with SAP. . 2010-01-19: Onapsis releases security advisory. 8. About Onapsis Research Labs == Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. 9. About Onapsis Onapsis is the leading provider of solutions for the security of business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts