SAP Security Patch Day June 2022: Improper Access Control

SAP Security Notes Blog

Highlights of June SAP Security Notes analysis include:

  • June Summary—17 new and updated SAP security patches released, including one HotNews notes and three High Priority notes
  • Onapsis Contribution—Onapsis Research Labs supported SAP in patching one Medium Priority Note
  • New CISA Alert— The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) lists three well known vulnerabilities 

SAP has released 17 new and updated SAP Security Notes in its June 2022 patch release, including the notes that were released since last SAP Patch Day. As part of this month’s patch release, there is one HotNews note and three High Priority notes.

HotNews Note #2622660 is the continuously recurring SAP Security Note for SAP Business Client that provides a patch that contains the latest tested Chromium release 101.0.4951.54. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 82 Chromium fixes and it states a maximum CVSS score of 10.0 for the patched vulnerabilities. For the last two listed vulnerabilities, there is no CVSS score assigned yet but Google has noted that customers should be  aware of publicly available exploits for some of these vulnerabilities.

High Priority note #3158375 reports an Improper Access Control of SAPRouter affecting SAP NetWeaver and ABAP Platform rated with a CVSS score of 8.6. A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems. SAP provides a workaround that consists of hardening the route permission table, removing the wildcards from entries of type ‘P’ and ‘S’. Nevertheless, this is a temporary solution and SAP recommends implementing the patch provided in the note.

Another Improper Access Control is reported in the High Priority note #3147498. In this case, it affects SAP NetWeaver AS Java and has a CVSS score of 8.2. The availability of the systems can be compromised, but there is no workaround possible, so the patch should be implemented to fix the vulnerability.

The third High Priority note #3197005, tagged with CVSS score of 7.8, patches a potential Privilege Escalation in SAP PowerDesigner Proxy.

Finally, SAP Security Note #3202846, patches new multiple Log4j vulnerabilities affecting a component in SAP NetWeaver Developer Studio has a low impact.

Onapsis Contribution to June Patch Day

The Onapsis Research Labs contributed this time in patching one Medium Priority vulnerability:

SAP Security Note #3194674, rated with a CVSS score of 5.0, patches a Server Side Request Forgery vulnerability in the Kernel of SAP Application Server ABAP/Java, and in the SAP Host Agent. SAP and Onapsis Research Labs found a low impact on a system’s confidentiality when exploiting the vulnerability. The attack is one of low complexity and the attacker only needs minimal privileges to execute. 

The SAP note provides patches for all affected components, as a complete update of the components, and as a HotFix, if it is not possible to perform the update immediately. The patch blocks the execution of the vulnerable sapcontrol web functionality.

New CISA Alert in June

The Onapsis Research Labs has detected exploitation activity related to three vulnerabilities that were already patched by SAP. As a result, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to their Catalog of Known Exploited Vulnerabilities. SAP has already released patches for all of them:

  • SAP Note #2101079: Potential modif./disclosure of persisted data in BC-ESI-UDDI
  • SAP Note #2256846: Potential information disclosure relating to usernames
  • SAP Note #3084487: [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT) 

It is highly recommended to monitor your SAP systems and make sure the three vulnerabilities are properly patched. For more information and details, please refer to our blog post.

Summary & Conclusions

This month, SAP focused on patching Missing Authorization Checks and Privilege Escalation vulnerabilities. The Onapsis Research Labs contributed to patching one vulnerability, rated with Medium Priority.

As always, the Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.