SAP Security Patch Day: April 2023

SAP Security Notes Blog

Critical Vulnerabilities in SAP Diagnostics Agent Pose Risk To SAP Systems

Highlights of April SAP Security Notes analysis include:

  • April Summary -Twenty-four new and updated SAP security patches released, including five HotNews Notes and one High Priority Note. 
  • SAP Diagnostics Agent in Focus – Two critical vulnerabilities pose risk to entire system landscape 
  • Onapsis Research Labs Collaboration – Onapsis Research Labs contributed in fixing eight vulnerabilities, covered by seven SAP Security Notes. This includes two HotNews vulnerabilities in SAP Diagnostics Agent and one High Priority Note affecting the BI Content AddOn (BI_CONT).
  • Medium Criticality Vulnerability with a Potentially Larger Effect – It’s possible to chain this one with other previously-patched vulnerabilities.

SAP has published twenty-four new and updated Security Notes on its April Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes five HotNews Notes and one High Priority Note. 

One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client, including the latest supported Chromium patches. SAP Business Client now supports Chromium version 111.0.5563.65 which fixes seventy-one vulnerabilities in total, including two Critical and thirty-two High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.

Two of the five HotNews Notes contain minor updates:

The more important update affects SAP Security Note #3273480, initially released on SAP’s December 2022 Patch Tuesday. The note is tagged with a CVSS score of 9.9 and patches an Improper Access Control vulnerability in SAP NetWeaver AS Java. SAP has now added a fix for SP026.

HotNews Note #3294595, tagged with a CVSS score of 9.6, only contains a textual update to the Solution section. There is no action required for customers who have already applied the patch.
 

The New HotNews Notes in Detail

The Onapsis Research Labs (ORL) contributed to patching two critical vulnerabilities in SAP Diagnostics Agent. The ORL detected that the OSCommandBridge and the EventLogService Collector component of the agent allows an unauthenticated user to execute scripts on all Diagnostics Agents connected to SAP SolutionManager. In conjunction with insufficient input validation, attackers were able to execute malicious commands on all monitored SAP systems, highly impacting their confidentiality, integrity, and availability. SAP Security Note #3305369, tagged with the maximum CVSS score of 10, provides a patch for a wide range of support package levels. The following table points out some key aspects of the two vulnerabilities and their differences:

CVE
Affected Component

CVSS 

Complexity

Unauthenticated Attack possible? 

Input Validation Missing

Affected OS

CVE-2023-27497

10

Low

In SAP NW AS Java <  7.5
SP25 PL7

Yes

Windows

CVE-2023-27267

9

High

All

The SAP note references SAP KBA #3309989 for further details (in progress at the time of writing this post). We recommend applying the patch immediately since the vulnerability puts the complete SAP system landscape at high risk.

The second new HotNews Note is SAP Security Note #3298961, tagged with a CVSS score of 9.8. The note patches a critical Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management). A missing password protection enforcement allows a basic privileged attacker to get access to the lcmbiar file. After successful decryption of its content, the attacker could gain access to BI user’s passwords. Depending on the authorizations of the impersonated user, an attacker could completely compromise the system’s confidentiality, integrity, and availability.

High Priority SAP Security Notes

SAP Security Note #3305907, tagged with a CVSS score of 8.7, is the only High Priority Note in April. The ORL contributed to patching a Directory Traversal vulnerability in the BI_CONT AddOn. A report of the AddOn allows a remote attacker with administrative privileges to overwrite arbitrary and potentially critical OS files. This could make the affected system completely unavailable. The patch completely disables the vulnerable report.

Request a Demo from the SAP Security Leader - Onapsis

Further Contribution of the Onapsis Research Labs 

The Onapsis Research Labs, inclusive of April, has now provided research contributions to SAP for thirty-six patches in 2023. In addition to the two HotNews patches, and the High Priority patch released on today’s Patch Day, our team has also contributed to an additional  five Medium Priority Notes.

SAP Security Notes #3303060 and #3296378, tagged with a CVSS score of 5.3 and 6.5, patch Denial of Service vulnerabilities in SAP NetWeaver AS ABAP/ABAP Platform. Specially crafted requests allow an attacker with non-administrative permissions to remotely make a system completely unavailable.

SAP Security Note #3289994, tagged with a CVSS score of 6.5, patches a Missing Authentication vulnerability in SAP NetWeaver Enterprise Portal. The vulnerability allows unauthenticated attackers to attach to an open interface and use an open API to access a service which enables them to access or modify server settings and data, leading to limited impact on confidentiality and integrity in isolation. However, it is possible for a threat actor to chain this particular vulnerability with a family of previously-patched vulnerabilities that the ORL team has dubbed “P4CHAINS”. For more information, please visit this blog to read further analysis from JP Perez-Etchegoyen.

SAP Security Note #3309056, tagged with a CVSS score of 6, patches a Code Injection vulnerability in SAP CRM. The ORL team detected a remote-enabled function module allowing the generic call of other application function modules. Attackers only need the required S_RFC authorization for the vulnerable module. The patch completely disables the affected module.

SAP Security Note #3287784, tagged with a CVSS score of 5.3, patches an Improper Access Control vulnerability in the Deploy Service of an SAP NetWeaver AS Java. A lack of access control allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service. A successful exploit could provide read access to server data with low impact on the system’s confidentiality.

Summary and Conclusions

With twenty-four new and updated SAP Security Notes, including five HotNews Notes and one High Priority Note, SAP’s April Patch Day looks like a busy one. SAP customers should prioritize the implementation of HotNews Note #3305369 since a successful exploit could potentially compromise all systems of a landscape. Fortunately, two of the HotNews Notes only contain minor updates and SAP Business Client customers are well trained in applying the updates provided with the recurring HotNews Note #2622660. SAP has patched multiple vulnerabilities by just disabling the affected report or function module, so be sure to check your own custom code for obsolete objects that can be deleted. A vulnerable object always represents a security risk – even if it is not in use anymore…

SAP Note

Type

Description

Priority

CVSS

2622660

Update

Security updates for the browser control Google Chromium delivered with SAP Business Client

 

BC-FES-BUS-DSK

HotNews

10,0

3269352

New

[CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)

 

CA-WUI-UI

Medium

5,4

3301457

New

[CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)

 

PA-FIO-FO

Medium

4,3

3275458

New

[CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML

 

BC-FES-WGU

Medium

6,1

3305907

New

[CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)

 

BW-BCT-GEN

High

8,7

3312733

New

[CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management

 

BC-VCM-LVM

Medium

6,8

3311624

New

[CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program)

 

BC-FES-INS

Medium

6,7

3117978

New

[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)

 

BC-SRV-AIF

Low

3,1

3113349

New

[CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)

 

BC-SRV-AIF

Low

3,7

3115598

New

[CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)

 

BC-SRV-AIF

Medium

4,4

3114489

New

[CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)

 

BC-SRV-AIF

Low

3,7

3298961

New

[CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )

 

BI-BIP-LCM

HotNews

9,8

3309056

New

[CVE-2023-27897] Code Injection vulnerability in SAP CRM

 

CRM-BF

Medium

6,0

3316509

New

Remote Code Execution vulnerability in SAP Commerce

 

CEC-COM-CPS-COR

Medium

4,7

3289994

New

[CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal

 

EP-PIN-PRT

Medium

6,5

3303060

New

[CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)

 

BC-BSP

Medium

5,3

3296378

New

[CVE-2023-28763] – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform

 

BC-MID-AC

Medium

6,5

3305369

New

[CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)

 

SV-SMG-DIA-SRV-AGT

HotNews

10,0

3287784

New

[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service

 

BC-JAS-DPL

Medium

5,3

3315312

New

[CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher

 

BC-CST-IC

Medium

5,0

3294595

Update

[CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

 

BC-CCM-PRN

HotNews

9,6

3000663

Update

[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager

 

BC-CST-WDP

Medium

5,4

3273480

Update

[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)

 

BC-XI-CON-UDS

HotNews

9,9

3290901

Update

[CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)

 

FI-TV-ODT-MTR

Medium

6,5

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.