Transcript
and I will be giving you a recap of all things ERP security related. Our goal is to keep this thing timely and relevant for our defenders out there. As always, let's start off with Patch Tuesday findings with anything as special of note. JP, do you want to jump in and do the honors? Absolutely. Thank you, Paul. Hello, and hello, everyone. Thanks for joining. So we have Patch Tuesday for this March, second Tuesday of every month, as usual. In this edition, we had 12 new and updated SAP security notes, including three hot news and three high-priority notes as well. It's important to note that there's been a focus on SAP NetWeaver Java because there's been a critical note affecting SAP NetWeaver Java and three information disclosure ones. So if you're running SAP NetWeaver Java, it's important to apply those patches to reduce the risk. And as always, the Enapsis Research Labs has contributed to three information disclosure vulnerabilities in this case. So we are always reporting and collaborating with SAP in terms of finding and fixing vulnerabilities. So going into the hot news, there are two that are relevant to mention. The first one is SAP Security Note 3425274. It scores a CVSS of 9.4, so it's quite critical. But the interesting part is that it affects all of the applications that were built with SAP build apps versions lower than 49145. So these applications that were built with that vulnerable version or lower incorporate a library that is vulnerable and could expose the entire application. So fixing this is somehow straightforward, but also not straightforward, because it's really upgrading the version of the library. But you need to go back and rebuild all of those affected applications. So it's important to understand that if you have applications that were built with SAP build apps versions lower than 4.9.145, go ahead, update the library and update and rebuild all those applications. The second one to mention in terms of hot news is SAP Security Note 3433192, which scores 9.1 in terms of CVSS. It's a critical code injection vulnerability in the log viewer for Java. So basically, the log viewer was not properly restricting all the file types that were able to be uploaded. An attacker was able to upload sensitive or let's say dangerous file types. Now the patch, if you upgrade the plugin, the log viewer plugin, basically it's restricting the file types to only the ones that are not dangerous, that could not be used to execute commands on the operating system or to do dangerous things. Then moving forward in terms of the high priority ones, there is one that affects HTTP 2 in the SAP HANA XS classic and XS advanced. So these are the web applications that are built on top of HANA XS engine. You need to upgrade the HANA XS classic and HANA XS advanced because there is a vulnerability in the way that the HTTP 2 protocol is managed. So again, remember going back to 2022 and 2023 where we saw SAP patching ICMAD that was discovered by the HANA XS research labs and in 2023 also similar issues but extended to HTTP 2. Well, SAP continues to improve the security of these components by fixing the way this protocol is processed. And also in terms of high priority nodes, security node 3414195, it scores 7.2 in terms of CBSS and it's patching a path traversal in business objects. So important to address because many different things could be done by abusing of a path traversal vulnerability. So go ahead and upgrade or update the components of your SAP business objects business intelligence. And with that, we wrap up the summary of the March security notes. So back to you, Paul. Thanks, JP. That's certainly a lot of good information to be aware of. Let me see here. So I want to jump into a couple of things that are happening out there in the thread space with respect to SAP and an issue that was discovered back earlier this year. It's an open redirect vulnerability. So what that means is that there was a phishing scam that was happening at the beginning of the year targeting a large multinational company. And that permitted the use of using their own domain. And once attackers identify these open redirects... Okay, so this open redirect vulnerability, take two. There was an attack happening earlier this year against a large multinational company that was using SAP. And there is a patch for this. But it's an open redirect in URL. And it's a very common threat vector that's used by scammers, especially when they're trying to send phishing links to victims. Because what they can do then is they can use the domain name of an established, well-trusted organization who has ownership over a domain. So when you look at domains, you want to take a look at a lot of different aspects to a domain. You want to take a look at, is it new? Is it using name servers that are trusted? Is it communicating with other artifacts? Is it leaving other artifacts that are trustworthy or not trustworthy? What's the history of the domain? What IPs are these things tied to? What's the information in the DNS records, right? There's a lot of intel when it comes to DNS and it takes a very specialized skill set to be able to really understand a domain name. Because there's a lot of threats that use dynamically generated algorithms to create domain names, which makes it harder for defenders to detect or work against or to take down. So it's very awesome for attackers to be able to discover an open redirect and be able to use it because then that allows you to use the legitimate domain with a legitimate URL at that domain and then simply tag on a value that if as a user you click that specially crafted link, you can then go and visit that target, that malicious target destination, right? So you can have an evil domain with a landing page that is set up to take your SAP credentials, for instance, right? So you could be targeted. An attacker can say, hey, I'm your IT department, right? I need you to log in. And then they'll send you an email with a totally legit, valid domain. That domain is not going to get picked up by your filters because it's scored as legitimate. It's going to come through. The filters aren't going to stop it. And then you click on that link because you think it's totally legit. You know, you look at the domain, it's a legit domain. But when you click on it, what you're not aware of is that now you're going to get redirected over to the miscreants, their controlled domain in the end because it's going to hop to the legitimate and get redirected to the bad domain. And now you got to be aware, right? You got to be careful where you're at so that you don't give away your credentials. But that's a very common tactic. And so I wanted to highlight that because, again, we come back to the vulnerability management, right? You want to make sure that you're running your patches. You want to make sure that you're watching for these types of tricks that the miscreants can use. And needless to say, I just want to point out that the large multinational company, they did detect this type of activity and they put a block to it on their end right away. So kudos, kudos to all organizations that are doing fantastic monitoring and detection and then having proper response in place to be able to handle any type of threat that's occurring. The other thing too, that we focused on from time to time in our discussions, JP and I, and also in some articles that you may have come across. If not, please take a look. We've written about Alpha V and Black Cat before, but I just wanted to share that they've been in the press recently again. There's been a lot of controversy over if they've received a large payment from a victim that they had targeted. By large, we're talking tens of millions of dollars. But ultimately the group shortly after that, they said that they were shutting down and that they already found a buyer for their information. And as a side note, as Black Cat has gone away, supposedly, LockBit also is estimated to have... They've also extorted about $120 million in payments from over 2000 victims worldwide. But on February 20th, LockBit's website was seized by the FBI and the UK's NCA, following a months-long infiltration of the group. So some interesting news, some hopefully good news about these groups going by the wayside. JP, over to you. I hear that we've got some pretty interesting information to share with our viewers. Absolutely. Just closing on the ransomware side, a few weeks ago, CISA released an alert about an FB and ransomware campaigns they're driving. So it's important to stay on top of that and also consume all the resources that CISA provides. They're free and they're aimed to provide alerts on what's relevant and what's really important. And talking about important, what's more important than SAP pentests, right? So we get a lot of requests for doing pentests. We get a lot of customers asking for it. And of course, I have no question or no hesitation in saying that we have the industry-leading team in terms of experience, in terms of tools, in terms of background to perform SAP pentests. So they understand inside and out, in and out, how SAP works and the different vulnerabilities that can affect those systems. So in that case, I think it's very important whenever this team is performing assessments and performing trainings, they take all of the learnings from the assessments into being able to deliver trainings. So upcoming in mid of this year, I think it's July, August, we have Black Hat USA in Vegas. So what a better excuse to go to Vegas than get trained by the leading experts in SAP pentesting. So if you want to understand what are SAP systems, what are the techniques, what are the exploits, the vulnerabilities, how to protect also, I encourage you to go to Black Hat US 2024 and subscribe to the SAP security training that is hosted by the Onapsis reception apps. I couldn't have said it better myself. I mean, it's a world-class pentesting team and the team that I'm humble and fortunate to work with, JP and the rest of the security research team, I just I'm blown away. So thank you. I think yeah, I think that that brings us essentially to the end. Look, we love doing these things, Defenders Digest, and we look forward to doing more. So please stay tuned for our next episode that will be coming out. JP, any last word for our viewers? Looking forward to the next one. Thank you all for joining. Awesome. Thanks, everyone, and have a great March and going into April too. Thank you. We got our outtake. The leprechaun stole your audio. I didn't catch him because Dr. Who came and took him away. Apparently, my laptop didn't like what I was talking about. So you said traversal and then you immediately froze. My system doesn't like me talking about it. It couldn't handle the information. Oh, no, I'm going to crash. Oh, wait, I can't hear you now. Same thing happened to me. Hang on. A, B, C, D, E, F, G.
