SAP Security Notes, August 2023

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

August 2023 notes

Summary and highlights of the month

The total number of notes/patches was 18, the same as last month. The number of Hot News was 2, the same as last month. On the other hand, it is worth noting that the number of high criticality notes has increased from 7 to 8. As usual we will leave the medium and low notes unchecked this month, but we will give details of a total of 10 notes (all those with a CVSS of 7 or higher).

We have a total of 18 notes for the whole month (the 18 from patch Tuesday, 15 new and 3 updates, are the same number of notes as last patch Tuesday).

We will review in detail 10 of the total 10 high notes and HotNews, 1 of the 2 HotNews is new and 7 of 8 high notes would be new (those of CVSS greater than or equal to 7).

1. The most critical note of the month (with CVSS 9.8), is a HotNew related to “Multiple Vulnerabilities in SAP PowerDesigner”.
2. The next criticality note (with CVSS 9.1), a HotNew, is an update of a note published last July, related to “OS command injection vulnerability in SAP ECC and SAP S/4HANA”.
3. The following criticality note (with CVSS 8.8) is related to “Improper authentication in SAP Commerce Cloud“.
4. The following note in criticality (with CVSS 8.7), is an update of a note published last July, related to “Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)“
5. The following criticality score (with CVSS 7.8) is a high score related to “Code Injection vulnerability in SAP PowerDesigner“.
6. The following criticality scores (with CVSS 7.6) are two high scores, one related to “Cross-Site Scripting (XSS) vulnerability in SAP Business One” and the other to “Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)“.
7. The following criticality scores (with CVSS 7.5) are two high scores, one related to “Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)” and the other to “Improper Authorization check vulnerability in SAP Message Server“.
8. The next note in criticality (with CVSS 7.1), is a high note related to “SQL Injection vulnerability in SAP Business One (B1i Layer)“.
9. This month the most predominant type is “Information Disclosure vulnerability” (4/18 in patch day).

In the graph (post August 2023 from SAP) we can see the ranking of the notes of August in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

• Multiple Vulnerabilities in SAP PowerDesigner (3341460): SAP PowerDesigner queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client’s memory. solution is to upgrade both the client and the proxy. CVSS v3 Base Score: 9,8 / 10 [CVE-2023-37483].
• Update – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (3350297): Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system This note has been re-released with updated ‘Symptom and Reason and Prerequisites’ information. CVSS v3 Base Score: 9,1 / 10 [CVE-2023-36922].
• Improper authentication in SAP Commerce Cloud (3346500): Certain configurations of SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. This vulnerability only affects active user accounts that have an empty passphrase. Other user accounts that have a valid passphrase set are not affected. Note contains a workaround. CVSS v3 Base Score: : 8,8 / 10 [CVE-2023-39439].
• Update – Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) (3331376): An attacker with non-administrative authorizations can exploit a directory traversal flaw to over-write system files. Data from confidential files cannot be read but potentially some OS files can be over-written leading to system compromise. This note has been re-released with updated ‘Correction instruction’ information. CVSS v3 Base Score: 8,7 / 10 [CVE-2023-33989].
• Code Injection vulnerability in SAP PowerDesignerProduct (3341599): SAP SQLA for PowerDesigner 17 bundled with SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local access to the system, to place a malicious library, that can be executed by the application. An attacker could thereby control the behavior of the application. There are two reasons for this vulnerability, SAP PowerDesigner Client connecting to bundled “SQL Anywhere for PowerDesigner” through ODBC could lead to command injection and SAP PowerDesigner Proxy connecting to bundled “SQL Anywhere for PowerDesigner” through ODBC could lead to command injection with priviledge escalation. Note contains a workaround.  CVSS v3 Base Score: 7,8 / 10 [CVE-2023-36923].
• Cross-Site Scripting (XSS) vulnerability in SAP Business One (3358300): Cross-site scripting (XSS) in SAP business One allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. CVSS v3 Base Score: 7,6 / 10 [CVE-2023-39437].
• Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)(3317710): SAP Business Objects Installers allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during the installation process. On replacing this executable with a malicious file, an attacker can completely compromise the confidentiality, integrity, and availability of the system. CVSS v3 Base Score: 7,6 / 10 [CVE-2023-37490].
• Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)(3312047): SAP BusinessObjects Business Intelligence Platform (CMC) is using a vulnerable version of commons-fileupload which is vulnerable to Denial of Service due to CVE-2023-24998. . CVSS v3 Base Score: 7,5 / 10
• Improper Authorization check vulnerability in SAP Message Server (3344295): The ACL (Access Control List) of SAP Message Server can be bypassed in certain conditions, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. This may lead to unauthorized read and write of data as well as rendering the system unavailable. Affected versions of SAP Message Server are 7.22 to 7.77 and certain preconditions have to be met to exploit,

SAP Message Server is only protected by an ACL; the profile parameter system/secure_communication is set to OFF; the internal port of the SAP Message Server is not protected; the trace level of the SAP Message Server is of value 2 or higher and The ACL file contains an IP address. Note contains a workaround. CVSS v3 Base Score: 7,5 / 10 [CVE-2023-37491].

• SQL Injection vulnerability in SAP Business One (B1i Layer) (3337797): B1i module of SAP Business One application allows an authenticated user with deep knowledge to send crafted queries over the network to read or modify the SQL data. On successful exploitation, the attacker can cause low impact on confidentiality, high impact on the integrity and availability of the application. CVSS v3 Base Score: 7,1 / 10 [CVE-2023-33993]

Reference links

Other references, from SAP and Onapsis (August):

Digital Library (sap.com)

SAP Security Patch Day for August 2023 | Onapsis

Resources affected