SAP Patch Day: February 2024

Security Notes

Onapsis Research Labs supported SAP in patching a critical Code Injection vulnerability in SAP Application Basis (SAP_ABA)

Highlights of February SAP Security Notes analysis include:

  • February Summary Sixteen new and updated SAP security patches released, including two HotNews Note and six High Priority Notes.
  • Critical Code Injection Vulnerability RFC-enabled function module allows generic method calls.
  • Onapsis Research Labs Contribution Our team supported SAP in patching one HotNews and one High Priority Note.

SAP has released sixteen SAP Security Notes on its February Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes two HotNews Notes and six High Priority Notes. 

One of the two HotNews Note in February is the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client. It patches thirty-three Chromium vulnerabilities, including twenty-six High Priority patches. The maximum CVSS score of all fixed vulnerabilities is 8.8. 

High Priority Note #3385711, tagged with a CVSS score of 7.3, patches an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP. The note was initially released in December 2023 and was updated this February Patch Day. The update provides more precise information about the patched vulnerability.

The New HotNews Note in Detail

SAP Security Note #3420923, tagged with a CVSS score of 9.1, is the only new HotNews Note. It patches a critical Code Injection vulnerability in the cross-application component SAP_ABA. 

The Onapsis Research Labs detected that the Web Survey feature in SAP provides an RFC-enabled function module that allows dynamically calling any static method of the system without checking any specific authorization. An external call of the function module is only protected by the implicit S_RFC check. The note patches this vulnerability by providing an additional (configurable) check whenever the function module is called from external. This new check is enabled by default and does not allow external calls of the function module. If customers want to use the remote capabilities of the Web Survey feature, they can adjust the configuration of the check. Details about the configuration can be found in the Knowledge Base Article #3415038.   

The New High Priority Notes in Detail

SAP Security Note #3417627, tagged with a CVSS score of 8.8, patches a Cross-Site Scripting vulnerability in the User Admin application of SAP NetWeaver AS Java. Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs. This can result in a Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.

SAP Security Note #3426111, tagged with a CVSS score of 8.6, is the second note of SAP’s February Patch Day that was patched in contribution with the Onapsis Research Labs (ORL). The note patches an XML External Entity(XEE) Injection vulnerability in the Guided Procedures component of SAP NetWeaver AS Java. The vulnerability allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to get read access to sensitive files and data. The patch comes with a more restrictive configuration of the involved XML parser that does not allow external entities as part of an incoming XML document. Not patching this vulnerability poses the confidentiality of the system at high risk.

A Cross-Site Scripting vulnerability was patched with SAP Security #3410875, tagged with a CVSS score of 7.6. The vulnerability exists in the Print preview option in SAP CRM WebClient UI and is caused by insufficient encoding of user controlled inputs. A low privileged attacker can cause limited impact to confidentiality and integrity of the application data after successful exploitation.

High Priority Note #3424610, tagged with a CVSS score of 7.4, patches an Improper Certificate Validation vulnerability in SAP Cloud Connector. The vulnerability allows an attacker to impersonate servers that interact with the cloud connector breaking the mutual authentication. In a successful exploit an attacker can intercept requests to view and modify sensitive information leading to high impact on the system’s confidentiality and integrity.

SAP Security Note #3421659, tagged with a CVSS score of 7.4, only affects SAP IDES systems. The patch deletes a program that allows the execution of arbitrary program code. An attacker can use the program to control the behavior of the system by executing malicious code. 

Feedback on the Onapsis January Patch Day Blog Post
In my January blog post, I wrote about SAP Security Note #3407617 stating the following:

It’s possible we can expect an update of this note in the near future since the solution seems to be incomplete.”

We have had the opportunity to  clarify the background of this specific  note with the SAP Product Security Response Team and the responsible developer. They transparently explained the rationale and that there is no code correction involved with the patch. Therefore, no update of the note is required. For security reasons they did not provide the same granularity of information in the Security Note.

Summary & Conclusions

With sixteen Security Notes, SAP’s February Patch Day is an average one. The Onapsis Research Labs could once more support SAP in patching two of the most critical vulnerabilities of this Patch Day. Special thanks go to the SAP Product Response team in helping us to clarify the background of SAP Security Note #3407617.

SAP NoteTypeDescriptionPriorityCVSS
3404025New[CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion
2897391New[CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material
3417627New[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)
3410875New[CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
3396109New[CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML
3158455New[CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
2637727New[CVE-2024-24739] Missing authorization check in SAP Bank Account Management
3360827New[CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel)
3421659New[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems
3420923New[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis)
3237638New[CVE-2024-25643] Missing authorization check in SAP Fiori app (“My Overtime Requests”)
2622660UpdateSecurity updates for the browser control Google Chromium delivered with SAP Business Client
3426111New[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)
3424610New[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector
3385711Update[CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP
3363690Update[CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance

As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defenders Digest.