SBN

SAP Security Patch Day: May 2023

SAP Security Patch Day: May 2023

SAP Security Patch Day: May 2023

ltabo

Tue, 05/09/2023 – 14:36

 

Highlights of May SAP Security Notes analysis include twenty-five new and updated SAP security patches released, including three HotNews Notes and nine High Priority Notes. Several critical vulnerabilities in SAP 3D Visual Enterprise License Manager’s web interface should be paid close attention. This month also marks the fourth time in a row that Onapsis Research Labs has directly contributed to SAP Patch Tuesday.

HotNews Notes released for SAP 3D Visual Enterprise License Manager and SAP BusinessObjects

SAP has published twenty-five new and updated Security Notes on its May Patch Day (including the notes that were released or updated since last Patch Tuesday.) This includes three HotNews Notes and nine High Priority Notes. 

One of the three HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 112.0.5615.121 which fixes twenty-six vulnerabilities in total including thirteen High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 9.8. Version 112.0.5615.121 was an emergency security update by Google that fixes a critical vulnerability tracked as CVE-2023-2033. Google confirmed that “an exploit for CVE-2023-2033 exists in the wild”. Based on NIST’s description of the flaw, the vulnerability allows “a remote attacker to potentially exploit heap corruption via a crafted HTML page.”  

Two of the High Priority SAP Notes, #3217303 and #3213507, are part of a series of five SAP Security Notes that were initially released in 2022, all patching Information Disclosure vulnerabilities in SAP BusinessObjects. The update explains that HotNews Note #3307833, replaces these five notes. More details can be found in the following HotNews section.

 

The New HotNews Notes in Detail

SAP Security Note #3328495, tagged with a CVSS score of 9.8, patches five vulnerabilities in version 14.2 of the Reprise License Manager(RLM) component used with SAP 3D Visual Enterprise License Manager. The following table provides a summary of the patched vulnerabilities: 

SAP Security Patch Day May 2023 identifies twenty-five new and updated security patches

 

 

CVE

CWE-ID

CWE Description

CVSS Score

CVE-2021-44151

CWE-384

Session Fixation

7.5

CVE-2021-44152

CWE-287

Improper Authentication

9.8

CVE-2021-44153

7.2

CVE-2021-44154

CWE-120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

7.2

CVE-2021-44155

CWE-209

Generation of Error Message Containing Sensitive Information

5.3

 
More details can be found above in the referenced CVE and CWE links above.

The SAP Note recommends updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. However, it looks like disabling the affected RLM web interface is the decisive activity to solve the issues, since the recommended patch was already released in January 2023. Disabling the web interface is also described as a possible work around. However, it is always a good idea to keep all components up-to-date. The update process provides an option to apply the newest version with disabled web interface and thus replaces the manual steps that would otherwise be necessary.

SAP Security Note #3307833, tagged with a CVSS score of 9.1, includes multiple patches for  Information Disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform. The newest and most critical one “allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user or server over the network without any user interaction. The attacker can impersonate any user on the platform resulting in accessing and modifying data. The attacker can also make the system partially or entirely unavailable”. Note #3307833 also replaces SAP Security Notes #3217303, #3145769, #3213524, #3213507, and #3233226. All notes were initially released in 2022 and updated on SAP’s May Patch Day. The update comes with two important statements:

  • Customers who have already implemented these SAP Security Notes should also implement SAP Security Note #3307833 for a complete fix.
     
  • Customers who have not yet implemented all of these SAP Security Notes should directly implement SAP Security Note #3307833.

 

High Priority SAP Security Notes

SAP Security Note #3317453, tagged with a CVSS score of 8.2, patches an Improper Access Control vulnerability in SAP NetWeaver AS JAVA. The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API. They can then instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services, causing high impact on the system’s integrity and low impact on its confidentiality.

The vulnerability was patched by SAP in collaboration with the Onapsis Research Labs. It is part of a series of other vulnerabilities– named P4CHAINS–that were patched by SAP in the last few months in cooperation with the Onapsis Research Labs. More information can be found here

Another CVSS 8.2 vulnerability was patched with SAP Security Note #3323415. The note fixes a Privilege Escalation vulnerability in the installer of SAP IBP add-in for Microsoft Excel. If not patched, it allows an authenticated attacker to add an InstallScript custom action to a Basic MSI or InstallScript MSI project in order to extract binary files to a predefined writable folder during installation. Due to a privilege escalation, an attacker can run code as an administrator that could lead to a high impact on the confidentiality, integrity, and availability of the system.

The note says that “Users that have already installed the Excel add-in are not affected. Only newly started installations are exploitable.” This seems to be a very vague statement since customers who have used the unpatched installer in the past might already have become a victim of an exploit. 

SAP Security Note #3320467, tagged with a CVSS score of 7.5, is potentially the High Priority Note of SAP’s May Patch Day that affects most SAP customers since it affects SAPGUI. It patches a vulnerability that allows an unauthorized attacker to gain NTLM authentication information from a user by tricking it into clicking a prepared shortcut file. Depending on the authorizations of the user, the attacker can read and modify potentially sensitive information after successful exploitation. 

SAP Commerce is affected by two High Priority Notes, both tagged with a CVSS score of 7.5.

SAP Security Note #3321309 patches an Information Disclosure vulnerability in SAP Commerce Backoffice. The vulnerability allows an attacker to access information via a crafted POST request that would otherwise be restricted, impacting the confidentiality of the system.

SAP Security Note #3320145 provides a patch that includes a fixed version of the XStream library. Older versions of this library were vulnerable to CVE-2022-41966 allowing a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service.

SAP Security Note #3300624, tagged with a CVSS score of 7.5, solves an issue in SAP PowerDesigner that can lead to a high impact on the availability of the application. The vulnerability allows an attacker to send a crafted request from a remote host to the proxy machine and crash the proxy server, due to faulty implementation of memory management, causing memory corruption.

SAP Security Note #3326210, tagged with a CVSS score of 7.1, patches an Improper Neutralization vulnerability in the sap.m.FormattedText SAPUI5 control, allowing an attacker to read or modify user’s information through a phishing attack.  

Summary and Conclusion

With twenty-five new and updated SAP Security Notes, including three HotNews Notes and nine High Priority Notes, SAP’s May Patch Day is a busy one. Special attention should be paid to SAP Note #3307833 since it represents the final fix for five older SAP Security Notes.  

SAP Note

Type

Description

Priority

CVSS

3117978

Update

[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)

 

BC-SRV-AIF

Low

3,1

3326210

New

[CVE-2023-30743] Improper Neutralization of Input in SAPUI5

 

CA-UI5-CTR-BAL

High

7,1

3315979

New

[CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI

 

CA-WUI-CON

Medium

5,4

3309935

New

[CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform

 

BI-BIP-INV

Medium

6,1

3313484

New

[CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform

 

BI-BIP-INV

Medium

6,3

3328495

New

Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager

 

CA-VE

HotNews

9,8

3317453

New

[CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA

 

BC-JAS-EJB

High

8,2

3315971

New

[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)

 

CA-WUI-UI-TAG

Medium

6,1

3307833

New

[CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console)

 

BI-BIP-SRV

HotNews

9,1

3323415

New

[CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel

 

SCM-IBP-XLS

High

8,2

3320467

New

[CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows

 

BC-FES-GUI

High

7,5

3320145

New

Denial of service (DOS) in SAP Commerce

 

CEC-COM-CPS-OTH

High

7,5

3319400

New

[CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform

 

BI-BIP-INV

Medium

6,1

3302595

New

[CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform

 

BI-BIP-IDT

Low

3,7

3300624

New

[CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy)

 

BC-SYB-PD

High

7,5

3312892

New

[CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation

 

EPM-BPC-NW-DOC

Medium

5,4

2335198

New

[CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy

 

LO-MD-BP-VM

Low

2,8

3321309

New

Information Disclosure vulnerability in SAP Commerce (Backoffice)

 

CEC-COM-CPS-OTH

High

7,5

2622660

Update

Security updates for the browser control Google Chromium delivered with SAP Business Client

 

BC-FES-BUS-DSK

HotNews

10,0

3038911

New

[CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)

 

BI-BIP-ADM

Medium

5,0

3233226

Update

[CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)

 

BI-BIP-LCM

Medium

6,8

3217303

Update

[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)

 

BI-BIP-SRV

High

7,7

3213524

Update

[CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB)

 

BI-BIP-CMC

Medium

6,0

3213507

Update

[CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB)

 

BI-BIP-ADM

High

8,2

3145769

Update

[CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)

 

BI-BIP-ADM

Medium

5,3

  

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.

*** This is a Security Bloggers Network syndicated blog from onapsis.com/ authored by ltabo. Read the original post at: https://onapsis.com/blog/sap-patch-day-may-2023