SAPStartSrv – Pre-auth OS Command injection as root or system

Impact On Business

  • If parameter service/localconnection = compat :

Remotely, an unauthenticated attacker could use it to execute arbitrary commands on the OS side as system administrator (root or SYSTEM)

  • If parameter service/localconnection is not set :

Locally, an authenticated attacker with low privileges could use it to execute arbitrary commands on the OS side as administrator leading to leverage privileges.

  • Both scenarios lead to fully compromising all different SAP Systems running on the SAP target system.

Vulnerability Details

The SAP Start Service, listening on port 1128 (http) and 1129 (https) allow unauthenticated users to access several SOAP methods under namespace SAPOsCol or SAPHostControl. One of them, ConfigureOutsideDiscovery doesn’t correctly handle the parameter name where the value is used under an OS command “move” to transfer the configuration file from temporary directory to the final directory. It is possible to inject arbitrary OS commands in this parameter value. The command is executed as an OS administrator user (root or SYSTEM).

Solution

SAP has released SAP Note 3285757 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3285757.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

  • 11/21/2022: Onapsis sends details to SAP
  • 12/14/2022: SAP disagree the CVSS score
  • 12/15/2022: Onapsis provide more explanation
  • 02/14/2023: SAP releases SAP Note fixing the issue

References

Back to Advisories

Advisory Information

  • Public Release Date: 07/23/25
  • Security Advisory ID: ONAPSIS-2024-0016
  • Researcher(s): Yvan Genuer

Vulnerability Information

  • Vendor: SAP
  • Affected Components: SAP Host Agent
    • SAPHOSTAGENT 7.21
    • SAPHOSTAGENT 7.22 SP058 and lower
      (Check SAP Note 3285757 for detailed information on affected releases)
  • Vulnerability Class: CWE-78 CWE-306
  • CVSS v3 score: 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Risk Level: Critical
  • Assigned CVE: CVE-2023-24523
  • Vendor patch Information: SAP Security NOTE 3285757

About our Research Labs

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License