Skip to main content
Blog

Risk assessment of SAP Security Notes

By 27 September 2021No Comments

It is not only the CVSS Base Score that determines risk

Risk assessment of SAP Security Notes

This month’s Security Notes release counted 7 HotNews Notes, something that is quite rare. How should SAP Customers interpret the risk that these vulnerabilities pose?

CVSS Base Vector and Base Score

Nearly every SAP Security Note have a CVSS V3.0 Base Score and Base vector. These are determined by specifying the various aspects of the possible exploitation of a vulnerability. See for instance the CVSS V3 calculator of NIST. By selecting the Base Score metrics, both the Base Score and Base vector are calculated.

In some rare cases, a maximum value of 10.0 for a CVSS Base score may exist. In the SAP Security Notes of September 2021, OSS Note 3078609 had a CVSS value of 10.0. This is the corresponding CVSS Base vector of that OSS Note:

1-Risk assessment of SAP Security Notes

As Risk is defined as the combination of the probability of an event (Exploitability) and its consequence (Impact), the CVSS metric considers both metrics. Depending on the values of these Metrics, a Risk value is calculated in a range from 0 – 10.

CVSS Base Score vs. SAP priority

SAP Security Notes also have a priority assigned. The relation between CVSS Base score and priority is:

CVSS Base ScoreSAP Priority
0 – 4Low
4 – 7Medium
7 – 9High
> 9HotNews

Determining the effective risk for your own SAP Landscape

When determining the Risk posed by a missing SAP security note for your own SAP landscape, there are some additional factors to consider:

1. Which software component contains the corrections for the SAP Security Note?

For ABAP based SAP systems: if the corrections are part of the NetWeaver components like SAP_BASIS, SAP_ABAP, ST-PI, SAP_BW etc., then the vulnerability can be exploited on all SAP ABAP NetWeaver based systems. For hackers, it would be very attractive to create and use an exploit for this type of vulnerability, because you can apply it to a large range of targets.

The same holds for Java Core components BASETABLES, J2EEFRMW, ENGINEAPI, SERVERCORE, CORETOOLS, J2EEAPPS* in the SAP Java systems.

2. Which main versions does the security Note apply to?

If an SAP Security Note is only valid for 1 specific main SAP version, then it has a lower risk than when it is valid for all main SAP versions. Again, hackers would prefer to exploit vulnerabilities that apply to the largest range of targets.

3. Is there an exploit available for the vulnerability?

If there is an exploit available, the risk of exploitation increases substantially. This is part of the CVSS Temporal Score metrics, that are implicitly considered for the SAP Security Notes.

4. Does the vulnerability enable command injection or SQL injection?

For hackers, these types of vulnerabilities are easy to exploit and has maximum results. It is like a shortcut to maximum control of an SAP system.

5. Is the vulnerability remediation complex or does it depend on manual actions?

If the remediation for a vulnerability is complex or depends on manual actions, for example, the maintenance of a white- or black-list, chances are high that SAP customers will not implement the Note or make errors during implementation. Again, this might entice hackers to exploit the vulnerability.

6. Are the CVSS metric values set correctly?

The people at SAP that create the SAP Security Notes do not always assign the values to the CVSS Metrics in a consistent manner. Compare for example OSS Note 2453642 – SQL Injection vulnerability in SAP NetWeaver with the recent OSS Note 3089831 – [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework. Both OSS Notes contain a vulnerability in function module(s) that enables SQL injection, yet the CVSS Base vectors of the OSS Notes look completely different.  For OSS Note 2453642, this results in a Base Score of only 4.7, while Note 3089831 has the highest possible score of 10.0.

Protect4S Risk metric

Besides showing the CVSS V3 Base Score and Base Metric of the SAP Security Note, Protect4S also considers the 6 extra factors mentioned when assigning Likelihood and Impact values that determine the final Risk value of a vulnerability.

This results in a realistic Risk value that our customers use to select those vulnerabilities most suited for remediation and mitigation.

Why not try out our Vulnerability Management solution on your own SAP systems for free?