Where the Risk from the Whole Is Greater than the Sum of Its Parts
On April 11, 2023, as part of the regular cadence of security patches, SAP released the patch for another security vulnerability identified by Pablo Artuso, part of Onapsis Research Labs, CVE-2023-28761. It may seem like business as usual in terms of security patches but let me explain why I believe it is not.
All vulnerabilities are important, and many organizations use different mechanisms to define the response time to apply security patches to address those vulnerabilities. While a more comprehensive approach such as SSVC is useful, in most cases, CVSS is the most important driver of the response time.
CVE-2023-28761 itself has a CVSS v3 rating of 6.5, which maps to a MEDIUM criticality*, and organizations tend to patch these medium vulnerabilities with a lesser sense of urgency. However, here’s where it gets more interesting: this vulnerability can be exploited by remote unauthenticated attackers to ultimately abuse another set of more critical vulnerabilities that were already patched by SAP:
|Vulnerability Details||CVSS||CVE||Security Note|
|SQL Injection and DoS in SearchFacade P4 Service||9.9||CVE-2022-41272||3273480|
|DoS and OS File Arbitrary read in locking P4 Service||9.9||CVE-2023-23857||3252433|
|RFC execution and Plain password leak in rfcengine P4 Service||9.4||CVE-2023-0017||3268093|
|SQL Injection and DoS in JobBean P4 service||9.4||CVE-2022-41271||3267780|
|Information Disclosure in Cache P4 service||5.3||CVE-2023-26460||3288096|
|Information Disclosure in Classload P4 service||5.3||CVE-2023-24526||3288394|
|Information Disclosure in Object Analyzing P4 service||5.3||CVE-2023-27268||3288480|
So all in all, vulnerabilities that may have not been Internet-accessible, per se, might be exploited by an attacker, leveraging a vulnerability with a medium severity rating, ultimately turning the whole group of vulnerabilities into:
- Remotely exploitable
- Accessible through the HTTP protocol (potentially over Internet)
- An elevated, critical impact to the system
The action of combining vulnerabilities (but more importantly exploits) is known as exploit chaining and is not a new tactic for sophisticated threat actors. Frequently, in the past, the Onapsis Research Labs has reported our observations of attackers using various vulnerabilities to achieve different objectives with the ultimate goal of compromising the business data.
Because of the significant opportunity for a threat actor to chain together this family of vulnerabilities to ultimately achieve broader, more critical impact, the Onapsis Research Labs is collectively referring to this family of CVE(s) as “P4CHAINS,” which includes all of the CVE(s) that were aforementioned in this blogpost.
Next Steps to Protect Against P4CHAINS
The fact that exploit chaining these vulnerabilities is highly possible by an attacker to achieve a deeper level of compromise of business applications highlights the need for continued vigilance of vulnerabilities and their corresponding Security Notes, when released, to guide response on a month-by-month basis. In isolation, the impact from CVE-2023-28761 is low, but the potential for risk to elevate is higher due to the possibility of combining and chaining this vulnerability with the larger P4CHAINS family.
If nothing else, P4CHAINS more importantly (and more simply) highlights
- It is important to apply patches
- It is important to apply patches timely
- It is important to apply patches timely across all applications
In many cases, the CVSS rating of vulnerabilities is a useful metric. However, bear in mind that these ratings are not absolute guideposts, and it is critical for organizations to have access to timely threat intelligence to better understand what is being exploited, what types of risks should be addressed with a higher priority than usual, and, ultimately, how to best prioritize your team’s precious time and workload. Otherwise, we end up with a risk from the whole that is significantly greater than the sum of its parts.