SAP EA-DFPS – Syslog pollution

Impact On Business

By polluting the main SAP system logging, attacker could, among other things :

Hide malicious activity
Force the syslog to reach its limit then overwrite itself to remove activity
Add false alert to create distraction

Affected Components Description

From the official SAP website. Due to the specific nature of their missions and tasks, armed forces, police, and aid organizations need to be able to use a multilevel system architecture that allows for offline use to perform the following activities from the domestic base for operations and exercises. The Defense Forces & Public Security (DFPS) component enhances the standard SAP functions, thus meeting the requirements outlined above.

Vulnerability Details

The function module /ISDFPS/SYNC_SLOG_WRITE_ENTRY, delivered by /ISDFPS/SYNC package, can write new entries into the SAP System Logging. A default value is set for the Message Key, S9Q, but it is possible to precise any kind of Message Key, leading to arbitrary entries input into the system log (SM21).

Solution

SAP has released SAP Note 3351410 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3351410.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

04/13/2022: Onapsis sends details to SAP
04/22/2022: SAP asks for additional information
05/02/2022: Onapsis provides requested information
06/01/2022: SAP reject the submission
06/02/2022: Onapsis kindly ask to review it again with more context
06/22/2022: SAP still reject the submission
06/28/2023: Onapsis mention the issue during security conference
07/11/2023: SAP releases SAP Note fixing the issue.

References

Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-july-2023/
CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36924
Vendor Patch: https://me.sap.com/notes/3351410

Back to Advisories

Advisory Information

Public Release Date: 07/18/25
Security Advisory ID: ONAPSIS-2024-0012
Researcher(s): Yvan Genuer

Vulnerability Information

Vendor: SAP
Affected Components:
- SAP Enterprise Extension Defense Forces & Public Security
- EA-DFPS 605 Patch 22 and lower
- EA-DFPS 606 Patch 31 and lower
- EA-DFPS 617 Patch 26 and lower
- EA-DFPS 618 Patch 19 and lower
- EA-DFPS 802 Patch 12 and lower
- EA-DFPS 803 Patch 10 and lower
- EA-DFPS 804 Patch 08 and lower
- EA-DFPS 805 Patch 06 and lower
- EA-DFPS 806 Patch 04 and lower
- EA-DFPS 807 Patch 02 and lower
  (Check SAP Note 3351410 for detailed information on affected releases)
Vulnerability Class: CWE-779
CVSS v3 score: 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Risk Level: Medium
Assigned CVE: CVE-2023-36924
Vendor patch Information: SAP Security NOTE 3351410

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey