Denial of Service and Arbitrary Favorites Modification/Deletion
Impact on Business
An authenticated attacker can cause a denial-of-service condition for other users, preventing them from accessing the system via the SAP GUI. Additionally, the attacker can modify or delete user-specific favorite nodes, leading to operational disruption and loss of convenience features for the affected business users.
Vulnerability Details
A remote-enabled function module within SAP BEx, BX_FAVOS_WRITE_ALL_NODES, fails to perform sufficient authorization checks and lacks proper validation of user-controlled keys. This allows a low-privileged authenticated attacker to target other users in the system.
By submitting specially crafted requests to this function module, an attacker can modify or delete the favorite nodes of any targeted user. Furthermore, the vulnerability can be leveraged to trigger a resource exhaustion condition (specifically heap memory exhaustion) within the targeted user’s session.
This results in a crash of the SAP GUI and prevents the affected user from successfully logging back into the system, leading to a denial of service.
Solution
SAP has released SAP Note 3488039 which provides patched versions of the affected components.
The patches can be downloaded from https://me.sap.com/notes/3488039.
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
Report Timeline
- 06/04/2024: Onapsis reports vulnerability to SAP
- 09/10/2024: SAP issues the patch
References
- Onapsis blogpost https://onapsis.com/blog/sap-security-notes-september-2024-patch-day/
- CVE Mitre https://www.cve.org/CVERecord?id=CVE-2024-45285
- CVE NIST https://nvd.nist.gov/vuln/detail/CVE-2024-45285 Vendor Patch https://me.sap.com/notes/3488039
Advisory Information
- Public Release Date: 03/13/2026
- Security Advisory ID: ONAPSIS-2024-0008
- Researcher(s): Adrian Rădulescu
Vulnerability Information
- Vendor: SAP
- Affected Components:
- SAP NetWeaver ABAP
- SAP Business Explorer (BEx)
(Check SAP Note 3488039 for detailed information on affected releases)
- Vulnerability Class: CWE-284: Improper Access Control
- CVSS v3 score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
- Risk Level: Medium
- Assigned CVE: CVE-2024-45285
- Vendor patch Information: SAP Security NOTE 3488039
Affected Components Description
The vulnerability affects components within SAP NetWeaver ABAP that support the Business Explorer (BEx) functionality. Specifically, it involves the management of user-defined favorite nodes and menu structures within the SAP GUI environment.
About our Research Labs
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at: https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License