Share
Beitragsbild zu SAP Security Patch Day: April 2023

SAP Security Patch Day: April 2023

Critical Vulnerabilities in SAP Diagnostics Agent Pose Risk To SAP Systems

Highlights of April SAP Security Notes analysis include:

  • April Summary -Twenty-four new and updated SAP security patches released, including five HotNews Notes and one High Priority Note.
  • SAP Diagnostics Agent in Focus – Two critical vulnerabilities pose risk to entire system landscape
  • Onapsis Research Labs Collaboration – Onapsis Research Labs contributed in fixing eight vulnerabilities, covered by seven SAP Security Notes. This includes two HotNews vulnerabilities in SAP Diagnostics Agent and one High Priority Note affecting the BI Content AddOn (BI_CONT).
  • Medium Criticality Vulnerability with a Potentially Larger Effect – It’s possible to chain this one with other previously-patched vulnerabilities.

SAP has published twenty-four new and updated Security Notes on its April Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes five HotNews Notes and one High Priority Note.

One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client, including the latest supported Chromium patches. SAP Business Client now supports Chromium version 111.0.5563.65 which fixes seventy-one vulnerabilities in total, including two Critical and thirty-two High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.

Two of the five HotNews Notes contain minor updates:

The more important update affects SAP Security Note #3273480, initially released on SAP’s December 2022 Patch Tuesday. The note is tagged with a CVSS score of 9.9 and patches an Improper Access Control vulnerability in SAP NetWeaver AS Java. SAP has now added a fix for SP026.

HotNews Note #3294595, tagged with a CVSS score of 9.6, only contains a textual update to the Solution section. There is no action required for customers who have already applied the patch.

The New HotNews Notes in Detail

The Onapsis Research Labs (ORL) contributed to patching two critical vulnerabilities in SAP Diagnostics Agent. The ORL detected that the OSCommandBridge and the EventLogService Collector component of the agent allows an unauthenticated user to execute scripts on all Diagnostics Agents connected to SAP SolutionManager. In conjunction with insufficient input validation, attackers were able to execute malicious commands on all monitored SAP systems, highly impacting their confidentiality, integrity, and availability. SAP Security Note #3305369, tagged with the maximum CVSS score of 10, provides a patch for a wide range of support package levels. The following table points out some key aspects of the two vulnerabilities and their differences:

CVE
Affected Component
CVSS Complexity Unauthenticated Attack possible? Input Validation Missing Affected OS
CVE-2023-27497 10 Low In SAP NW AS Java <  7.5
SP25 PL7
Yes Windows
CVE-2023-27267 9 High All

The SAP note references SAP KBA #3309989 for further details (in progress at the time of writing this post). We recommend applying the patch immediately since the vulnerability puts the complete SAP system landscape at high risk.

The second new HotNews Note is SAP Security Note #3298961, tagged with a CVSS score of 9.8. The note patches a critical Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management). A missing password protection enforcement allows a basic privileged attacker to get access to the lcmbiar file. After successful decryption of its content, the attacker could gain access to BI user’s passwords. Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.

High Priority SAP Security Notes

SAP Security Note #3305907, tagged with a CVSS score of 8.7, is the only High Priority Note in April. The ORL contributed to patching a Directory Traversal vulnerability in the BI_CONT AddOn. A report of the AddOn allows a remote attacker with administrative privileges to overwrite arbitrary and potentially critical OS files. This could make the affected system completely unavailable. The patch completely disables the vulnerable report.

Further Contribution of the Onapsis Research Labs

The Onapsis Research Labs, inclusive of April, has now provided research contributions to SAP for thirty-six patches in 2023. In addition to the two HotNews patches, and the High Priority patch released on today’s Patch Day, our team has also contributed to an additional  five Medium Priority Notes.

SAP Security Notes #3303060 and #3296378, tagged with a CVSS score of 5.3 and 6.5, patch Denial of Service vulnerabilities in SAP NetWeaver AS ABAP/ABAP Platform. Specially crafted requests allow an attacker with non-administrative permissions to remotely make a system completely unavailable.

SAP Security Note #3289994, tagged with a CVSS score of 6.5, patches a Missing Authentication vulnerability in SAP NetWeaver Enterprise Portal. The vulnerability allows unauthenticated attackers to attach to an open interface and use an open API to access a service which enables them to access or modify server settings and data, leading to limited impact on confidentiality and integrity in isolation. However, it is possible for a threat actor to chain this particular vulnerability with a family of previously-patched vulnerabilities that the ORL team has dubbed “P4CHAINS”. For more information, please visit this blog to read further analysis from JP Perez-Etchegoyen.

SAP Security Note #3309056, tagged with a CVSS score of 6, patches a Code Injection vulnerability in SAP CRM. The ORL team detected a remote-enabled function module allowing the generic call of other application function modules. Attackers only need the required S_RFC authorization for the vulnerable module. The patch completely disables the affected module.

SAP Security Note #3287784, tagged with a CVSS score of 5.3, patches an Improper Access Control vulnerability in the Deploy Service of an SAP NetWeaver AS Java. A lack of access control allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service. A successful exploit could provide read access to server data with low impact on the system’s confidentiality.

Summary and Conclusions

With twenty-four new and updated SAP Security Notes, including five HotNews Notes and one High Priority Note, SAP’s April Patch Day looks like a busy one. SAP customers should prioritize the implementation of HotNews Note #3305369 since a successful exploit could potentially compromise all systems of a landscape. Fortunately, two of the HotNews Notes only contain minor updates and SAP Business Client customers are well trained in applying the updates provided with the recurring HotNews Note #2622660. SAP has patched multiple vulnerabilities by just disabling the affected report or function module, so be sure to check your own custom code for obsolete objects that can be deleted. A vulnerable object always represents a security risk – even if it is not in use anymore…

SAP Note Type Description Priority CVSS
2622660 Update Security updates for the browser control Google Chromium delivered with SAP Business Client

BC-FES-BUS-DSK

HotNews 10,0
3269352 New [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)

CA-WUI-UI

Medium 5,4
3301457 New [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)

PA-FIO-FO

Medium 4,3
3275458 New [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML

BC-FES-WGU

Medium 6,1
3305907 New [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)

BW-BCT-GEN

High 8,7
3312733 New [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management

BC-VCM-LVM

Medium 6,8
3311624 New [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program)

BC-FES-INS

Medium 6,7
3117978 New [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)

BC-SRV-AIF

Low 3,1
3113349 New [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)

BC-SRV-AIF

Low 3,7
3115598 New [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)

BC-SRV-AIF

Medium 4,4
3114489 New [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)

BC-SRV-AIF

Low 3,7
3298961 New [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )

BI-BIP-LCM

HotNews 9,8
3309056 New [CVE-2023-27897] Code Injection vulnerability in SAP CRM

CRM-BF

Medium 6,0
3316509 New Remote Code Execution vulnerability in SAP Commerce

CEC-COM-CPS-COR

Medium 4,7
3289994 New [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal

EP-PIN-PRT

Medium 6,5
3303060 New [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)

BC-BSP

Medium 5,3
3296378 New [CVE-2023-28763] – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform

BC-MID-AC

Medium 6,5
3305369 New [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)

SV-SMG-DIA-SRV-AGT

HotNews 10,0
3287784 New [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service

BC-JAS-DPL

Medium 5,3
3315312 New [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher

BC-CST-IC

Medium 5,0
3294595 Update [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

BC-CCM-PRN

HotNews 9,6
3000663 Update [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager

BC-CST-WDP

Medium 5,4
3273480 Update [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)

BC-XI-CON-UDS

HotNews 9,9
3290901 Update [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)

FI-TV-ODT-MTR

Medium 6,5

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.

Source: Onapsis-Blog

Firma zum Thema

onapsis

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden