(Improper Role Authorization Vulnerability (CVE-2018-2361) on SAP Solution Manager 7.2)
For many businesses on the SAP Enterprise Support contract, the SAP Solution Manager is deployed to addresses their IT environment in order to maximize time to value for new projects, control costs, and optimize compliance. With a comprehensive set of processes, tools, services, SAP Solution Manager 7.2 powers implementation and eases communication with the business and it continues to focus on operations and on IT.
Without any doubt, Security plays a very critical role in the use of any application and rightly so, Solution Manager would not be an exception. Recently, SAP released a note to patch an Improper Role Authorization Vulnerability which, using the CVSSv3 scoring system was rated at CVSS 6.3.
2017 saw a notable increase in the number of disclosed vulnerabilities in SAP solutions in comparison to 2016. Of course, these vulnerabilities were equally matched with relevant patch release by SAP with some degree of assistance from numerous SAP security research firms. As 2018 begins, so also does the count on numbers of vulnerabilities with serious security implications accumulate.
The Improper Role Authorization Vulnerability affecting SAP solution Manager gives room for malicious actors or perpetrators to use Improper Role authorizations redundant right to edit ALL tables on the server. for instance, one will notice that the role SAP_BPO_CONFIG gives the BPO configuration user more authorization than required for configuring the BPO tools and this can lead to compromising data; a non-compliance to PoPI-Act and even so GDPR
Whilst SAP has released a Note to cater to this vulnerability, it is very important that every business running Solution Manager 7.2 implements this note as a matter of Urgency: 2507934
For security enthusiasts, Advisories for this SAP vulnerabilities with technical details and exploit will be made publicly available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
In the meantime, If you are using z-copies of the standard roles in SP6 or above, these z-copies will have to be adjusted manually. If you are using the standard SAP roles, you have to newly generate the authorization profile for role SAP_BPO_CONFIG and execute the user comparison. If you are on a lower support level than SP6 and you cannot upgrade to SP6 just yet, then, follow the below:
- Find the local copy of role SAP_BPO_CONFIG in your SAP Solution Manager system. If there is no Z-copy of the role, create one.
- Change the local Z-copy of the role according to the following procedure:
Delete all entries for authorization object S_TABU_DIS, Add authorization object S_TABU_DIS with the following values:
Table Authorization Group: SS, LMDB, PIMA, SA, IWAD, SC
Table Authorization Group: SA
Save the role and generate the user profile for the role. Afterwards, execute the user comparison.
Via transaction PFCG, “Users” tab, make sure that no user has the role SAP_BPO_CONFIG assigned. If you find users, switch them to the local copy of the role.
If you will like to know if your Solution Manager leaves a security hole on your landscape, or interested in SAP cybersecurity, do get in touch by e-mail: firstname.lastname@example.org or call +1 408 641 4307 or + 27 11 083 9828 (African SAP Users).