SAP Patch Day: August 2023

New HotNews Note for SAP PowerDesigner and Important Update on July HotNews Note

Highlights of August SAP Security Notes analysis include:

• August Summary – Twenty new and updated SAP security patches released, including two HotNews Notes and eight High Priority Notes
• Updated HotNews Note requires Special Attention – Ignoring guidance can lead to system inconsistencies
• Onapsis Research Labs Contribution – Our team supported SAP in patching three vulnerabilities

SAP has published twenty new and updated Security Notes on its August Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and eight High Priority Notes.

The Onapsis Research Labs contributed to patching three vulnerabilities, affecting SAP Message Server, SAP NetWeaver AS ABAP and ABAP Platform, and SAP Host Agent.

Important HotNews Note Update

SAP Security Note #3350297, tagged with a CVSS score of 9.1, was initially released on SAP’s July Patch Day. It patches an OS Command Injection vulnerability in IS-OIL. The update was released on July 25th and contains a serious warning. It explains that IS-OIL is installed on almost all SAP systems, but this doesn’t mean that this industry solution is also enabled on the system. A system is only vulnerable to the OS Command Injection if the two switches OIB_QCI and OI0_COMMON_2 are activated. Therefore, there is no need to implement the HotNews Note if this condition is not true and the real message of the note update is:

“Do not activate IS-OIL or any Business Function or Switch related to it just to implement SAP Note #3350297. Most IS-OIL switches are not reversible and may cause damage to systems that are not IS-OIL relevant.”

The OS Command Injection vulnerability exists because an IS-OIL report allows user inputs to be provided to the vulnerable function module. Since this function module is not RFC-enabled and because the report will dump without IS-OIL being activated, the vulnerability cannot be exploited without IS-OIL and the two switches being enabled.

High Priority Note #3331376, tagged with a CVSS score of 8.7, was also updated since last Patch Day. SAP has added additional information to the “Correction Instructions” section.

New HotNews Note for SAP PowerDesigner

The only new HotNews Note is SAP Security Note #3341460 which is tagged with a CVSS score of 9.8. This note patches two vulnerabilities in SAP PowerDesigner.  It  affects customers who have the SAP PowerDesigner Client connecting to the shared model repository through a SAP PowerDesigner Proxy. An Improper Access Control vulnerability might allow an unauthenticated attacker to run arbitrary queries against the back end database via proxy. This vulnerability is tracked under CVE-2023-37483 and the only thing that prevents the vulnerability from being rated with the maximum CVSS score of 10 is that the scope keeps unchanged during a successful exploit.The note also patches an Information Disclosure vulnerability that is tagged with a CVSS score of 5.3. It allows an attacker to access password hashes from the client’s memory. SAP points out that patching requires updating the SAP PowerDesigner Client and the Proxy to the same new version. A mixture of two versions could cause serious problems.

The High Priority Notes in Detail

Although, SAP Security Note #3344295 is not tagged with the highest CVSS score of all new High Priority Notes, it might affect the majority of SAP customers since it is related to the SAP Message Server. The Onapsis Research Labs (ORL) detected an Improper Authorization Check vulnerability in SAP Message Server allowing an authenticated attacker to enter the network of the SAP systems served by the attacked SAP Message server. The vulnerability is tagged with a CVSS score of 7.5 and may lead to unauthorized read and write of data as well as rendering the system unavailable. Fortunately, a successful exploit is only possible under the following conditions:

• The SAP Message Server is only protected by an ACL.
• The profile parameter system/secure_communication is set to OFF.
• The internal port of the SAP Message Server is not protected.
• The trace level of the SAP Message Server is of value 2 or higher.
• The ACL file contains an IP address.

SAP Commerce Cloud customers are affected by SAP Security Note #3346500, tagged with a CVSS score of 8.8. This note patches an Improper Authentication vulnerability that allows the creation of new users with empty passphrases. The patch sets the default value of the responsible configuration property „user.password.acceptEmpty“ to “false”.

SAP PowerDesigner is also affected by HighPriority Note #3341599.. The patched Code Injection vulnerability is tagged with a CVSS score of 7.8 and allows an attacker with local access to the system to place a malicious library that can be executed by the application. After a successful exploit, attackers can control the behavior of the application. This only affects customers who are using a bundle of SAP SQL Analyzer for PowerDesigner 17 and SAP PowerDesigner 16.7 SP06 PL03.

SAP BusinessObjects and SAP Business One customers are affected by two High Priority Notes each.

SAP Security Note #3317710, tagged with a CVSS score of 7.6, patches a Binary Hijack vulnerability in the SAP BusinessObjects Installer. The vulnerability allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. By replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system.

SAP Security Note #3312047, tagged with a CVSS score of 7.5, provides a patch for a Denial of Service vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC). The patch includes a newer version of the Apache Commons FileUpload library package that is not affected by CVE-2023-24998.

SAP Security Note #3358300 patches a Cross-Site Scripting vulnerability in SAP Business One. The vulnerability is tagged with a CVSS score of 7.6 and allows an attacker to insert malicious code into the content of a web page or application and get it delivered to the client. This could lead to harmful action affecting the confidentiality, integrity, and availability of the application. The patch adds input validation and an enhanced Content Security Policy (CSP) to the affected application scenario.

SAP Security Note #3337797, tagged with a CVSS score of 7.1, patches an SQL Injection vulnerability in the B1i layer of SAP Business One. Keeping the system unpatched allows an authenticated attacker to send crafted queries over the network to read or modify data.

Further Contribution of the Onapsis Research Labs

In addition to High Priority Note #3344295, the ORL contributed to fixing one Medium Priority and one Low Priority vulnerability.

According to SAP, Security Note #3348000, tagged with a CVSS score of 4.9, patches a Missing Authorization Check vulnerability in SAP NetWeaver AS ABAP and ABAP Platform. A detailed analysis shows that it is more an Improper Authorization Check vulnerability than a Missing Authorization vulnerability. The issue is that the existing authorization check in the affected RFC-enabled function module PFL_READ_FROM_FILE requests a much stronger user authorization than is necessary. This could lead to a privilege escalation since the requested authorization could allow the user to execute other, more critical activities on the system. The patch disables the function module. We therefore recommend checking if it is used in any customer development such as programs that monitor profile parameters. SAP Security Note #3358328, tagged with a CVSS score of 3.7, affects SAP Host Agent. It patches an Information Disclosure vulnerability that is caused by a missing authentication check, allowing an attacker to gather some less sensitive information about the server. SAP recommends upgrading SAP Host Agent to at least version 7.22 PL61 and using one of the supported authentication mechanisms.

Summary & Conclusions

The number of new SAP Security Notes on SAP’s August Patch Day is comparable with the number of last month. The majority of the patched vulnerabilities affect SAP PowerDesigner, SAP BusinessObjects, and SAP Business One. The updated July HotNews Note demonstrates it is critical to pay attention to the exact wording of a Security Note to avoid serious side effects.

As always, the Onapsis Research Labs will update The Onapsis Platform to incorporate the newly published vulnerabilities into the product, so our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis