Critical Vulnerabilities in SAP Diagnostics Agent Pose Risk To SAP Systems
Highlights of April SAP Security Notes analysis include:
- April Summary -Twenty-four new and updated SAP security patches released, including five HotNews Notes and one High Priority Note.
- SAP Diagnostics Agent in Focus – Two critical vulnerabilities pose risk to entire system landscape
- Onapsis Research Labs Collaboration – Onapsis Research Labs contributed in fixing eight vulnerabilities, covered by seven SAP Security Notes. This includes two HotNews vulnerabilities in SAP Diagnostics Agent and one High Priority Note affecting the BI Content AddOn (BI_CONT).
- Medium Criticality Vulnerability with a Potentially Larger Effect – It’s possible to chain this one with other previously-patched vulnerabilities.
SAP has published twenty-four new and updated Security Notes on its April Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes five HotNews Notes and one High Priority Note.
One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client, including the latest supported Chromium patches. SAP Business Client now supports Chromium version 111.0.5563.65 which fixes seventy-one vulnerabilities in total, including two Critical and thirty-two High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.
Two of the five HotNews Notes contain minor updates:
The more important update affects SAP Security Note #3273480, initially released on SAP’s December 2022 Patch Tuesday. The note is tagged with a CVSS score of 9.9 and patches an Improper Access Control vulnerability in SAP NetWeaver AS Java. SAP has now added a fix for SP026.
HotNews Note #3294595, tagged with a CVSS score of 9.6, only contains a textual update to the Solution section. There is no action required for customers who have already applied the patch.
The New HotNews Notes in Detail
The Onapsis Research Labs (ORL) contributed to patching two critical vulnerabilities in SAP Diagnostics Agent. The ORL detected that the OSCommandBridge and the EventLogService Collector component of the agent allows an unauthenticated user to execute scripts on all Diagnostics Agents connected to SAP SolutionManager. In conjunction with insufficient input validation, attackers were able to execute malicious commands on all monitored SAP systems, highly impacting their confidentiality, integrity, and availability. SAP Security Note #3305369, tagged with the maximum CVSS score of 10, provides a patch for a wide range of support package levels. The following table points out some key aspects of the two vulnerabilities and their differences:
|CVSS||Complexity||Unauthenticated Attack possible?||Input Validation Missing||Affected OS|
|CVE-2023-27497||10||Low||In SAP NW AS Java < 7.5
The SAP note references SAP KBA #3309989 for further details (in progress at the time of writing this post). We recommend applying the patch immediately since the vulnerability puts the complete SAP system landscape at high risk.
The second new HotNews Note is SAP Security Note #3298961, tagged with a CVSS score of 9.8. The note patches a critical Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management). A missing password protection enforcement allows a basic privileged attacker to get access to the lcmbiar file. After successful decryption of its content, the attacker could gain access to BI user’s passwords. Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.
High Priority SAP Security Notes
SAP Security Note #3305907, tagged with a CVSS score of 8.7, is the only High Priority Note in April. The ORL contributed to patching a Directory Traversal vulnerability in the BI_CONT AddOn. A report of the AddOn allows a remote attacker with administrative privileges to overwrite arbitrary and potentially critical OS files. This could make the affected system completely unavailable. The patch completely disables the vulnerable report.
Further Contribution of the Onapsis Research Labs
The Onapsis Research Labs, inclusive of April, has now provided research contributions to SAP for thirty-six patches in 2023. In addition to the two HotNews patches, and the High Priority patch released on today’s Patch Day, our team has also contributed to an additional five Medium Priority Notes.
SAP Security Notes #3303060 and #3296378, tagged with a CVSS score of 5.3 and 6.5, patch Denial of Service vulnerabilities in SAP NetWeaver AS ABAP/ABAP Platform. Specially crafted requests allow an attacker with non-administrative permissions to remotely make a system completely unavailable.
SAP Security Note #3289994, tagged with a CVSS score of 6.5, patches a Missing Authentication vulnerability in SAP NetWeaver Enterprise Portal. The vulnerability allows unauthenticated attackers to attach to an open interface and use an open API to access a service which enables them to access or modify server settings and data, leading to limited impact on confidentiality and integrity in isolation. However, it is possible for a threat actor to chain this particular vulnerability with a family of previously-patched vulnerabilities that the ORL team has dubbed “P4CHAINS”. For more information, please visit this blog to read further analysis from JP Perez-Etchegoyen.
SAP Security Note #3309056, tagged with a CVSS score of 6, patches a Code Injection vulnerability in SAP CRM. The ORL team detected a remote-enabled function module allowing the generic call of other application function modules. Attackers only need the required S_RFC authorization for the vulnerable module. The patch completely disables the affected module.
SAP Security Note #3287784, tagged with a CVSS score of 5.3, patches an Improper Access Control vulnerability in the Deploy Service of an SAP NetWeaver AS Java. A lack of access control allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service. A successful exploit could provide read access to server data with low impact on the system’s confidentiality.
Summary and Conclusions
With twenty-four new and updated SAP Security Notes, including five HotNews Notes and one High Priority Note, SAP’s April Patch Day looks like a busy one. SAP customers should prioritize the implementation of HotNews Note #3305369 since a successful exploit could potentially compromise all systems of a landscape. Fortunately, two of the HotNews Notes only contain minor updates and SAP Business Client customers are well trained in applying the updates provided with the recurring HotNews Note #2622660. SAP has patched multiple vulnerabilities by just disabling the affected report or function module, so be sure to check your own custom code for obsolete objects that can be deleted. A vulnerable object always represents a security risk – even if it is not in use anymore…
|2622660||Update||Security updates for the browser control Google Chromium delivered with SAP Business Client
|3269352||New||[CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)
|3301457||New||[CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)
|3275458||New||[CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML
|3305907||New||[CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)
|3312733||New||[CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management
|3311624||New||[CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program)
|3117978||New||[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)
|3113349||New||[CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
|3115598||New||[CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
|3114489||New||[CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)
|3298961||New||[CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )
|3309056||New||[CVE-2023-27897] Code Injection vulnerability in SAP CRM
|3316509||New||Remote Code Execution vulnerability in SAP Commerce
|3289994||New||[CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal
|3303060||New||[CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)
|3296378||New||[CVE-2023-28763] – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform
|3305369||New||[CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)
|3287784||New||[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service
|3315312||New||[CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher
|3294595||Update||[CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
|3000663||Update||[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager
|3273480||Update||[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)
|3290901||Update||[CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.