SAP Patch Day: August 2023

SAP Security Notes Blog

New HotNews Note for SAP PowerDesigner and Important Update on July HotNews Note

Highlights of August SAP Security Notes analysis include:

  • August Summary – Twenty new and updated SAP security patches released, including two HotNews Notes and eight High Priority Notes
  • Updated HotNews Note requires Special Attention  Ignoring guidance can lead to system inconsistencies
  • Onapsis Research Labs Contribution – Our team supported SAP in patching three vulnerabilities

SAP has published twenty new and updated Security Notes on its August Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and eight High Priority Notes. 

The Onapsis Research Labs contributed to patching three vulnerabilities, affecting SAP Message Server, SAP NetWeaver AS ABAP and ABAP Platform, and SAP Host Agent.

Important HotNews Note Update

SAP Security Note #3350297, tagged with a CVSS score of 9.1, was initially released on SAP’s July Patch Day. It patches an OS Command Injection vulnerability in IS-OIL. The update was released on July 25th and contains a serious warning. It explains that IS-OIL is installed on almost all SAP systems, but this doesn’t mean that this industry solution is also enabled on the system. A system is only vulnerable to the OS Command Injection if the two switches OIB_QCI and OI0_COMMON_2 are activated. Therefore, there is no need to implement the HotNews Note if this condition is not true and the real message of the note update is:

“Do not activate IS-OIL or any Business Function or Switch related to it just to implement SAP Note #3350297. Most IS-OIL switches are not reversible and may cause damage to systems that are not IS-OIL relevant.” 

The OS Command Injection vulnerability exists because an IS-OIL report allows user inputs to be provided to the vulnerable function module. Since this function module is not RFC-enabled and because the report will dump without IS-OIL being activated, the vulnerability cannot be exploited without IS-OIL and the two switches being enabled.

High Priority Note #3331376, tagged with a CVSS score of 8.7, was also updated since last Patch Day. SAP has added additional information to the “Correction Instructions” section.   

New HotNews Note for SAP PowerDesigner 

The only new HotNews Note is SAP Security Note #3341460 which is tagged with a CVSS score of 9.8. This note patches two vulnerabilities in SAP PowerDesigner.  It  affects customers who have the SAP PowerDesigner Client connecting to the shared model repository through a SAP PowerDesigner Proxy. An Improper Access Control vulnerability might allow an unauthenticated attacker to run arbitrary queries against the back end database via proxy. This vulnerability is tracked under CVE-2023-37483 and the only thing that prevents the vulnerability from being rated with the maximum CVSS score of 10 is that the scope keeps unchanged during a successful exploit.The note also patches an Information Disclosure vulnerability that is tagged with a CVSS score of 5.3. It allows an attacker to access password hashes from the client’s memory. SAP points out that patching requires updating the SAP PowerDesigner Client and the Proxy to the same new version. A mixture of two versions could cause serious problems. 

The High Priority Notes in Detail

Although, SAP Security Note #3344295 is not tagged with the highest CVSS score of all new High Priority Notes, it might affect the majority of SAP customers since it is related to the SAP Message Server. The Onapsis Research Labs (ORL) detected an Improper Authorization Check vulnerability in SAP Message Server allowing an authenticated attacker to enter the network of the SAP systems served by the attacked SAP Message server. The vulnerability is tagged with a CVSS score of 7.5 and may lead to unauthorized read and write of data as well as rendering the system unavailable. Fortunately, a successful exploit is only possible under the following conditions:

  • The SAP Message Server is only protected by an ACL.
  • The profile parameter system/secure_communication is set to OFF.
  • The internal port of the SAP Message Server is not protected.
  • The trace level of the SAP Message Server is of value 2 or higher.
  • The ACL file contains an IP address.

SAP Commerce Cloud customers are affected by SAP Security Note #3346500, tagged with a CVSS score of 8.8. This note patches an Improper Authentication vulnerability that allows the creation of new users with empty passphrases. The patch sets the default value of the responsible configuration property “user.password.acceptEmpty” to “false”.

SAP PowerDesigner is also affected by HighPriority Note #3341599.. The patched Code Injection vulnerability is tagged with a CVSS score of 7.8 and allows an attacker with local access to the system to place a malicious library that can be executed by the application. After a successful exploit, attackers can control the behavior of the application. This only affects customers who are using a bundle of SAP SQL Analyzer for PowerDesigner 17 and SAP PowerDesigner 16.7 SP06 PL03.

SAP BusinessObjects and SAP Business One customers are affected by two High Priority Notes each.

SAP Security Note #3317710, tagged with a CVSS score of 7.6, patches a Binary Hijack vulnerability in the SAP BusinessObjects Installer. The vulnerability allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. By replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system.

SAP Security Note #3312047, tagged with a CVSS score of 7.5, provides a patch for a Denial of Service vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC). The patch includes a newer version of the Apache Commons FileUpload library package that is not affected by CVE-2023-24998

SAP Security Note #3358300 patches a Cross-Site Scripting vulnerability in SAP Business One. The vulnerability is tagged with a CVSS score of 7.6 and allows an attacker to insert malicious code into the content of a web page or application and get it delivered to the client. This could lead to harmful action affecting the confidentiality, integrity, and availability of the application. The patch adds input validation and an enhanced Content Security Policy (CSP) to the affected application scenario.

SAP Security Note #3337797, tagged with a CVSS score of 7.1, patches an SQL Injection vulnerability in the B1i layer of SAP Business One. Keeping the system unpatched allows an authenticated attacker to send crafted queries over the network to read or modify data. 

Further Contribution of the Onapsis Research Labs

In addition to High Priority Note #3344295, the ORL contributed to fixing one Medium Priority and one Low Priority vulnerability.

According to SAP, Security Note #3348000, tagged with a CVSS score of 4.9, patches a Missing Authorization Check vulnerability in SAP NetWeaver AS ABAP and ABAP Platform. A detailed analysis shows that it is more an Improper Authorization Check vulnerability than a Missing Authorization vulnerability. The issue is that the existing authorization check in the affected RFC-enabled function module PFL_READ_FROM_FILE requests a much stronger user authorization than is necessary. This could lead to a privilege escalation since the requested authorization could allow the user to execute other, more critical activities on the system. The patch disables the function module. We therefore recommend checking if it is used in any customer development such as programs that monitor profile parameters. SAP Security Note #3358328, tagged with a CVSS score of 3.7, affects SAP Host Agent. It patches an Information Disclosure vulnerability that is caused by a missing authentication check, allowing an attacker to gather some less sensitive information about the server. SAP recommends upgrading SAP Host Agent to at least version 7.22 PL61 and using one of the supported authentication mechanisms.

Summary & Conclusions

The number of new SAP Security Notes on SAP’s August Patch Day is comparable with the number of last month. The majority of the patched vulnerabilities affect SAP PowerDesigner, SAP BusinessObjects, and SAP Business One. The updated July HotNews Note demonstrates it is critical to pay attention to the exact wording of a Security Note to avoid serious side effects.

SAP Note

Type

Description

Priority

CVSS

3312586

New

[CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform

 

BI-RA-WBI

Medium

4,4

3358300

New

[CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One

 

SBO-CRO-SEC

High

7,6

3317710

New

[CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)

 

BI-BIP-INS

High

7,6

3312047

New

Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)

 

BI-BIP-CMC

High

7,5

3348000

New

[CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform

 

BC-CCM-CNF-PFL

Medium

4,9

3344295

New

[CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server

 

BC-CST-MS

High

7,5

3341599

New

[CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner

 

BC-SYB-PD

High

7,8

3341460

New

[CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner

 

BC-SYB-PD

HotNews

9,8

3358328

New

[CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent

 

BC-CCM-HAG

Low

3,7

3350494

New

[CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration

 

BC-XI-IBF-WU

Medium

6,1

3333616

New

[CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer)

 

SBO-CRO-SEC

Medium

5,3

3337797

New

[CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer)

 

SBO-CRO-SEC

High

7,1

3341934

New

[CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API)

 

CEC-SCC-COM-BC-OCC

Medium

5,9

3149794

New

Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5

 

CA-UI5-COR

Medium

6,1

3156972

New

URL Redirection vulnerability in SAP S/4HANA (Managed Catalogue Item and Catalogue search)

 

MM-FIO-PUR-REQ-SSP

Low

3,5

2067220

New

[CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management

 

SRM-EBP-ADM-XBP

Medium

5,8

3346500

New

[CVE-2023-39439] Improper authentication in SAP Commerce Cloud

 

CEC-SCC-PLA-PL

High

8,8

3350297

Update

[CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)

 

IS-OIL-DS-HPM

HotNews

9,1

3331376

Update

[CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)

 

BW-BCT-GEN

High

8,7

2032723

Update

Switchable authorization checks for RFC in SRM

 

SRM-EBP-INT

Medium

6,3

As always, the Onapsis Research Labs will update The Onapsis Platform to incorporate the newly published vulnerabilities into the product, so our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.