
Where the Risk from the Whole Is Greater than the Sum of Its Parts
On April 11, 2023, as part of the regular cadence of security patches, SAP released the patch for another security vulnerability identified by Pablo Artuso, part of Onapsis Research Labs, CVE-2023-28761. It may seem like business as usual in terms of security patches but let me explain why I believe it is not.
All vulnerabilities are important, and many organizations use different mechanisms to define the response time to apply security patches to address those vulnerabilities. While a more comprehensive approach such as SSVC is useful, in most cases, CVSS is the most important driver of the response time.
CVE-2023-28761 itself has a CVSS v3 rating of 6.5, which maps to a MEDIUM criticality*, and organizations tend to patch these medium vulnerabilities with a lesser sense of urgency. However, here’s where it gets more interesting: this vulnerability can be exploited by remote unauthenticated attackers to ultimately abuse another set of more critical vulnerabilities that were already patched by SAP:
Vulnerability Details | CVSS | CVE | Security Note |
SQL Injection and DoS in SearchFacade P4 Service | 9.9 | CVE-2022-41272 | 3273480 |
DoS and OS File Arbitrary read in locking P4 Service | 9.9 | CVE-2023-23857 | 3252433 |
RFC execution and Plain password leak in rfcengine P4 Service | 9.4 | CVE-2023-0017 | 3268093 |
SQL Injection and DoS in JobBean P4 service | 9.4 | CVE-2022-41271 | 3267780 |
Information Disclosure in Cache P4 service | 5.3 | CVE-2023-26460 | 3288096 |
Information Disclosure in Classload P4 service | 5.3 | CVE-2023-24526 | 3288394 |
Information Disclosure in Object Analyzing P4 service | 5.3 | CVE-2023-27268 | 3288480 |
So all in all, vulnerabilities that may have not been Internet-accessible, per se, might be exploited by an attacker, leveraging a vulnerability with a medium severity rating, ultimately turning the whole group of vulnerabilities into:
- Remotely exploitable
- Unauthenticated
- Accessible through the HTTP protocol (potentially over Internet)
- An elevated, critical impact to the system
Vulnerability Chaining
The action of combining vulnerabilities (but more importantly exploits) is known as exploit chaining and is not a new tactic for sophisticated threat actors. Frequently, in the past, the Onapsis Research Labs has reported our observations of attackers using various vulnerabilities to achieve different objectives with the ultimate goal of compromising the business data.
Because of the significant opportunity for a threat actor to chain together this family of vulnerabilities to ultimately achieve broader, more critical impact, the Onapsis Research Labs is collectively referring to this family of CVE(s) as “P4CHAINS,” which includes all of the CVE(s) that were aforementioned in this blogpost.
Next Steps to Protect Against P4CHAINS
The fact that exploit chaining these vulnerabilities is highly possible by an attacker to achieve a deeper level of compromise of business applications highlights the need for continued vigilance of vulnerabilities and their corresponding Security Notes, when released, to guide response on a month-by-month basis. In isolation, the impact from CVE-2023-28761 is low, but the potential for risk to elevate is higher due to the possibility of combining and chaining this vulnerability with the larger P4CHAINS family.
If nothing else, P4CHAINS more importantly (and more simply) highlights
- It is important to apply patches
- It is important to apply patches timely
- It is important to apply patches timely across all applications
In many cases, the CVSS rating of vulnerabilities is a useful metric. However, bear in mind that these ratings are not absolute guideposts, and it is critical for organizations to have access to timely threat intelligence to better understand what is being exploited, what types of risks should be addressed with a higher priority than usual, and, ultimately, how to best prioritize your team’s precious time and workload. Otherwise, we end up with a risk from the whole that is significantly greater than the sum of its parts.
Source: Onapsis-Blog
Fachartikel

Wie Unternehmen den Kernproblemen des Modern Workplace begegnen können

Angriffe auf Unternehmensdaten: Zwei Drittel aller Endpoints sind betroffen

Wie Sie die Datensicherheitsanforderungen Ihrer Kunden erfüllen

Welche Rolle spielt ein CISO bei einem Cyberangriff?

Hosted in Germany: Warum die deutsche Cloud immer noch die sicherste Wahl ist
Studien

Studie zeigt: Verbraucher fordern mehr Kontrolle über ihre Daten ein

Das Digital Trust-Paradox: Wichtig, aber keine Priorität

NETSCOUT nGenius Enterprise Performance Management erzielt eine Investitionsrendite (ROI) von 234 %

Studie offenbart, wie sich deutsche CISOs gegen Cyber-Kriminelle wehren können

Neue Studie: 35 Prozent der befragten Unternehmen vernachlässigen die Sicherheit beim Datenaustausch
Whitepaper

Zero Friction: die Zukunft der Sicherheit

Bundesverband IT-Sicherheit e.V. (TeleTrusT) veröffentlicht Leitfaden „Cloud Supply Chain Security“

„Security by Design“: Zukunftsfähiges Konzept für Informationssicherheit und Datenschutz im Produktlebenszyklus

19. Deutscher IT-Sicherheitskongress eröffnet – BSI informiert über Chancen und Risiken von KI-Sprachmodellen
