P4CHAINS Vulnerabilities

Where the Risk from the Whole Is Greater than the Sum of Its Parts

On April 11, 2023, as part of the regular cadence of security patches, SAP released the patch for another security vulnerability identified by Pablo Artuso, part of Onapsis Research Labs, CVE-2023-28761. It may seem like business as usual in terms of security patches but let me explain why I believe it is not.

All vulnerabilities are important, and many organizations use different mechanisms to define the response time to apply security patches to address those vulnerabilities. While a more comprehensive approach such as SSVC is useful, in most cases, CVSS is the most important driver of the response time.

CVE-2023-28761 itself has a CVSS v3 rating of 6.5, which maps to a MEDIUM criticality*, and organizations tend to patch these medium vulnerabilities with a lesser sense of urgency. However, here’s where it gets more interesting: this vulnerability can be exploited by remote unauthenticated attackers to ultimately abuse another set of more critical vulnerabilities that were already patched by SAP:

Vulnerability Details	CVSS	CVE	Security Note
SQL Injection and DoS in SearchFacade P4 Service	9.9	CVE-2022-41272	3273480
DoS and OS File Arbitrary read in locking P4 Service	9.9	CVE-2023-23857	3252433
RFC execution and Plain password leak in rfcengine P4 Service	9.4	CVE-2023-0017	3268093
SQL Injection and DoS in JobBean P4 service	9.4	CVE-2022-41271	3267780
Information Disclosure in Cache P4 service	5.3	CVE-2023-26460	3288096
Information Disclosure in Classload P4 service	5.3	CVE-2023-24526	3288394
Information Disclosure in Object Analyzing P4 service	5.3	CVE-2023-27268	3288480

So all in all, vulnerabilities that may have not been Internet-accessible, per se, might be exploited by an attacker, leveraging a vulnerability with a medium severity rating, ultimately turning the whole group of vulnerabilities into:

Remotely exploitable
Unauthenticated
Accessible through the HTTP protocol (potentially over Internet)
An elevated, critical impact to the system

Vulnerability Chaining

The action of combining vulnerabilities (but more importantly exploits) is known as exploit chaining and is not a new tactic for sophisticated threat actors. Frequently, in the past, the Onapsis Research Labs has reported our observations of attackers using various vulnerabilities to achieve different objectives with the ultimate goal of compromising the business data.

Because of the significant opportunity for a threat actor to chain together this family of vulnerabilities to ultimately achieve broader, more critical impact, the Onapsis Research Labs is collectively referring to this family of CVE(s) as “P4CHAINS,” which includes all of the CVE(s) that were aforementioned in this blogpost.

Next Steps to Protect Against P4CHAINS

The fact that exploit chaining these vulnerabilities is highly possible by an attacker to achieve a deeper level of compromise of business applications highlights the need for continued vigilance of vulnerabilities and their corresponding Security Notes, when released, to guide response on a month-by-month basis. In isolation, the impact from CVE-2023-28761 is low, but the potential for risk to elevate is higher due to the possibility of combining and chaining this vulnerability with the larger P4CHAINS family.

If nothing else, P4CHAINS more importantly (and more simply) highlights

It is important to apply patches
It is important to apply patches timely
It is important to apply patches timely across all applications

In many cases, the CVSS rating of vulnerabilities is a useful metric. However, bear in mind that these ratings are not absolute guideposts, and it is critical for organizations to have access to timely threat intelligence to better understand what is being exploited, what types of risks should be addressed with a higher priority than usual, and, ultimately, how to best prioritize your team’s precious time and workload. Otherwise, we end up with a risk from the whole that is significantly greater than the sum of its parts.