SAP Patch Day: March 2023

Critical Vulnerabilities patched in SAP NetWeaver AS ABAP / Java and in SAP BusinessObjects

Highlights of March SAP Security Notes analysis include:

• March Summary—Twenty-one new and updated SAP security patches released, including six HotNews Notes and four High Priority Notes
• Critical Patches affect all SAP Customers—Three new HotNews Notes for SAP Netweaver AS ABAP and JAVA
• Onapsis Research Labs Contribution—Our team supported SAP in patching fifteen vulnerabilities, covered by twelve SAP Security Notes

SAP has released twenty-one SAP Security Notes on its March Patch Day, including six HotNews Note and four High Priority Notes.

The Onapsis Research Labs contributed to patching fifteen vulnerabilities, covered by twelve of the nineteen new SAP Security Notes.

Two SAP Security Notes include minor updates of notes that were originally released in December 2022 and February 2023.

SAP Security Note #3273480, tagged with a CVSS score of 9.9, was the first patch fixing a series of Improper Access Control vulnerabilities in SAP NetWeaver AS Java that were detected by the Onapsis Research Labs. The solution was initially released on SAP’s December Patch Day and caused some side effects on the alerting and monitoring capabilities of SAP NW AS Java. The latest update of the note refers to two additional notes fixing these side effects.

SAP Security Note #3273480, tagged with a CVSS score of 6.1, was initially released in February and patches a Cross-Site Scripting vulnerability in the BSP framework of SAP NW AS ABAP. The update contains only minor text changes and customers do not need to take additional action if the note has already been applied to the affected systems.

The HotNews Notes in Detail

Two of the five new HotNews Notes affect SAP Business Objects(SAP BO) Intelligence Platform. SAP Security Note #3245526, tagged with a CVSS score of 9.9, patches a vulnerability in the Central Management Console (CMC) that allows an attacker to inject arbitrary code with a strong negative impact on integrity, confidentiality, and availability of the system.

SAP Security Note #3283438 is tagged with a slightly lower CVSS score of 9.0 but that doesn’t mean it’s less critical. The lower CSS rating is due to the fact that a successful exploit requires interaction with another user. The note patches an OS Command Execution vulnerability in SAP BO Adaptive Job Server, allowing the execution of arbitrary OS commands over the network. The vulnerability only affects SAP BO installations on UNIX platforms.

Another two HotNews Notes, released in contribution with the Onapsis Research Labs (ORL) and are tagged with a CVSS score of 9.6 and patch critical Directory Traversal vulnerabilities in SAP NetWeaver AS ABAP.

SAP Security Note #3302162 disables the program SAPRSBRO used by SAP services to configure the system for industry specific texts. The patch no longer allows attackers with non-administrative authorizations to overwrite arbitrary critical OS files.

SAP Security Note #3294595 patches a similar vulnerability in other services of an SAP NetWeaver AS ABAP. This vulnerability was caused by the include program RSPOXTAB that allows access to files that are not assigned to a logical file name in the system. SAP previously resolved the issue in January via the correction note #1512430 (not a Security Note) by patching the consumers of this include program. However, the solution provided with SAP Security Note #3294595 is more secure since it directly fixes the include and thus automatically protects current as well as future customers. The fifth new HotNews patches another critical Improper Access Control vulnerability in SAP NetWeaver AS Java. SAP Security Note #3252433, tagged with a CVSS score of 9.9, patches the Locking Service of the AS Java, which is responsible for requesting the locks at the Enqueue Service. The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services. These services can be used to perform unauthorized operations and affect users and services across systems.

The High Priority Notes in Detail

All four High Priority Notes were released in collaboration with the ORL and they patch seven vulnerabilities in total.

SAP Security Note #3296476, tagged with a CVSS score of 8.8, patches Remote Code Execution vulnerabilities in several remote-enabled function modules. These function modules are used by SAP’s Active Global Support to evaluate custom code and allow the dynamic call of arbitrary local function modules as long as their interface fulfills specific conditions. Attackers only require the appropriate S_RFC authorization, either on one of the function modules or on the complete function group. The vulnerable function group is shipped with the ST-PI Add-On and thus affects SolutionManager systems and the connected ABAP managed systems.

SAP Security Note #3294954, tagged with a CVSS score of 8.7, patches a Directory Traversal vulnerability in a remote-enabled function module of SAP NetWeaver AS ABAP. A successful exploit enables an attacker to delete arbitrary files at the OS level and make the system unavailable. The problem exists because an import parameter of the function module accepts relative file path expressions and does not check the parameter value appropriately.

SAP Security Note #3296346 patches a Server Side Request Forgery vulnerability, tagged with a CVSS score of 7.4 and a Denial of Service vulnerability, tagged with a CVSS score of 6.5. Improper input controls allow an attacker who is authenticated as a non-administrative user to craft a request which triggers the application server to send a request to an arbitrary url. This url could be used to reveal, modify, or make non-sensitive information unavailable, leading to low impact on confidentiality, integrity, and availability. The affected ABAP class also suffers from several vulnerabilities in error handling. This allows an attacker to craft a request with certain parameters that consume the server’s resources and make it unavailable. Since the class is not used anymore by SAP, the patch withdraws the implementation of the affected class.

SAP Security Note #3275727 patches a Memory Corruption vulnerability in the SAPOSCOL executable that is tagged with a CVSS score of 7.2. An unauthenticated attacker with network access to a server port assigned to the SAP Start Service can submit a crafted request and cause a memory corruption error. This error can be used to read technical information about the server. It can also make a particular service temporarily unavailable.

Further Contribution of the Onapsis Research Labs

In addition to three HotNews Notes and four High Priority Notes, the ORL contributed to fixing five Medium Priority vulnerabilities.

SAP Security Note #3284550, tagged with a CVSS score of 6.8, patches an XML External Entity vulnerability in SAP Enterprise Portal. A missing validation check in the XML parser allows attackers with privileges to access the parser, submit crafted XML files, and gain read access to sensitive data.

SAP Security Note #3296328 withdraws the implementation of another class (refer to SAP Security Note #3296346). The class allowed an attacker to consume sufficient system resources via specially crafted requests to make the system unavailable.

The series of Improper Access Control vulnerabilities in SAP NetWeaver AS Java detected by the ORL is extended by three SAP Security Notes, all tagged with a CVSS score of 5.3. Each note patches a specific service with missing or insufficient authentication and authorization checks. This allows attackers to make use of an open naming and directory API to access a service which enables them to read sensitive server settings that could be used for subsequent attacks. The Security Notes and the patched services are:

Summary & Conclusions

The number of new SAP Security Notes on SAP’s March Patch Day is comparable with the number of last month. The patched vulnerabilities have shown once more that input validation and proper authentication and authorization checks are key to protect applications. Another lesson learned of this Patch Day: Cleanup unused code as it often contains unrecognized security issues.

As always, the Onapsis Research Labs is updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product, so our customers can protect their businesses.

Source: Onapsis-Blog