2011 Apr 18 10:02 AM
Dear Forum,
Is it possible to take advantage of exploits in installed components although theyre not in use? I mean, when patching SAP Security Notes, does it make sence to patch components which are installed but not in use?
Rough example:
We have a system with 10 components (according to SPAM status) only 7 of these modules are actively used. Should all 10 receive applicable SAP Security Notes, or would it be enough to patch the ones in use?
I hope someone is able to elaborate on this
Thanks in advance guys,
Kind Regards,
Soren
2011 Apr 18 11:33 AM
Hi,
I would say yes. The problem is that a malicious user can still try to exploit vulnerability in non used module. For example a power user (e.g. developer) with access to wider range of transactions can try to exploit issue and escalate his privileges.
Cheers
2011 Apr 18 11:33 AM
Hi,
I would say yes. The problem is that a malicious user can still try to exploit vulnerability in non used module. For example a power user (e.g. developer) with access to wider range of transactions can try to exploit issue and escalate his privileges.
Cheers
2011 Apr 18 11:49 AM
Hi Martin,
First off, thanks for your input!
I had a suspicion this was possible. If you (or anyone else) has an example (not with deep detail ofcourse, we dont want to encourage anyone to test it..) or a scenario where this would be possible let me know. I need more ammo for my arguments, hence I want to patch everything, but I also need something to back up my theory. So an example would be awesome
Thanks
Kind Regards,
Soren
2011 Apr 19 12:35 AM
HI,
for example reading a file. Let's say there is a bug in a program which allows malicious user to read any file on the application server. Obviously, you want to patch this even that program is not used by normal users. Another example is missing authorization checks for table view. You can have assigned proper authorizations for S_TABU_DIS but if a malicious user can trick a program without authorization check to display data from any table then you have a problem. A real example could be an issues fixed in note 1558740. Even if you don't use IS-U those FMs are still in your system.
Don't forget that it's good to have multiple layers of protection. So you keep authorizations tight but still you patch all security issues.
Cheers
2011 Apr 19 7:20 AM
Hi Martin,
Thanks for the examples, now I am not in doubt that we neet to add security notes / patches to all installed components altho not in use.
Have a nice day
Kind Regards,
Soren