SAP vulnerabilities Let Attacker Inject OS Commands—Patch Now!

SAP has released their updates for patch day of this month, in which several vulnerabilities have been fixed and CVEs have been updated. The severity of the patched bugs varies from 4.5 (medium) to 10.0 (critical).

The most critical severity vulnerability was disclosed to be related to Chromium browser control delivered with SAP Business client which was given the highest priority.

Critical Severity Vulnerabilities

Excluding the Chromium browser control vulnerabilities, other critical severity vulnerabilities include, 

SAP ECC and SAP S/4HANA (IS-OIL) (IS-OIL-DS-HPM): 

This is an OS command injection vulnerability that exists in an unprotected parameter in a common extension. The CVE for this vulnerability is given as CVE-2023-36922 and the CVSS score is 9.1 (Critical).

High Severity Vulnerabilities

SAP NetWeaver (BI CONT ADD ON) (BW-BCT-GEN): 

This is a Directory Traversal Vulnerability that can allow a threat actor to read potential OS files which can be overwritten for compromising the system. This vulnerability was given the CVE as CVE-2023-33989 and a CVSS score of 8.7 (High).

SAP Web Dispatcher (BC-CST-WDP):

This is a Request Smuggling and request concatenation vulnerability that can allow a threat actor to read, modify or make the server temporarily unavailable. The CVE for this vulnerability is given as CVE-2023-33987 and the CVSS score is 8.6 (High)

SAP SQL Anywhere (BC-SYB-SQA-SRV):

This is a Denial of Service (DoS) vulnerability that exists in the Shared memory objects allowing a low-privileged attacker with local system access to local system make the system go unavailable for legitimate users by crashing the service.

The CVE for this vulnerability was given as CVE-2023-33990 and the CVSS score is 7.8 (High).

SAP Web Dispatcher (BC-CST-WDP):

This is a Memory Corruption vulnerability that allows a threat actor to make memory corruption through logical errors in memory management which can also result in information disclosure or system crash. The CVE for this vulnerability is given as CVE-2023-35871 and the CVSS Score is 7.7 (High).

SAP Solution Manager (Diagnostics agent) (SV-SMG-DIA-SRV-AGT):

This is an unauthenticated SSRF and a header injection vulnerability. SSRF vulnerability allows an unauthenticated threat actor to make malicious HTTP requests leading to impact on the availability and confidentiality. 

On the other hand, the header injection vulnerability allows an attacker to serve poisoned content to the server by tampering the headers on a client request.

The CVEs for these two vulnerabilities are given as CVE-2023-36925 and CVE-2023-36921. The CVSS scores are 7.2 for both of them.

Medium Severity Vulnerabilities

Vulnerability NameCVE IDDescription
SAP NetWeaver Process Integration (BC-XI-IS-WKB)CVE-2023-35872, CVE-2023-35873Certain functionalities in the Message Display Tool of SAP NetWeaver Process Integration does not have authentication mechanisms
SAP NetWeaver AS ABAP and ABAP Platform (BC-MID-RFC)CVE-2023-35874There has been improper authentication for some conditions that require user identity which allows malicious actors to target the network and extend the impact scope
SAP Enable Now (KM-SEN-MGR)Multiple Vulnerabilities were addressed in this product
SAP S/4HANA (Manage Journal Entry Template) (FI-FIO-GL-TRA)CVE-2023-35870Journal entry template creation can be intercepted and changed leading to impact on confidentiality and integrity. In addition to this, it can also lead to standard template deletion.
SAP BusinessObjects Business Intelligence Platform (BI-BIP-SRV)CVE-2023-36917Unrestricted rate limit on password change functionality leading to brute force of old password on a hijacked session.
SAP NetWeaver AS for Java (Log Viewer) (BC-JAS-SEC)CVE-2023-31405An unauthenticated request by a threat actor can lead to unwarranted modifications on a system log without user interaction.
SAP ERP Defense Forces and Public Security (IS-DFS-BIT-DIS)CVE-2023-36924Authenticated attacker can write arbitrary data to the syslog file with admin privileges enabled leading to compromise of application integrity.
SAP Business Warehouse and SAP BW/4HANA (BW-BEX-OT-BICS-PROV)CVE-2023-33992Exposure of unauthorized cell values which requires authorizations on the query and keyfigure/measure level.

Users of these products are advised to follow the SAP security advisory and patch them accordingly in order to prevent threat actors.

“AI-based email security measures Protect your business From Email Threats!” – .

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.