SAP Security Notes, February 2024

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

February 2024 notes

Summary and highlights of the month

The total number of notes/patches has been 16, 4 more than last month. The number of Hot News has been 2, 1 less than last month. On the other hand, it is worth noting that the number of high criticality notes has increased compared to last month: 6 this month. As always, we will leave the medium and low notes unchecked, but will detail a total of 8 notes (all those with a CVSS of 7 or higher).

We have a total of 16 notes for the entire month (the 16 from Patch Tuesday, 13 new ones and 3 updates, which are 4 more notes than the last Patch Tuesday).

We will review in detail a total of 8 notes, the 2 HotNews of this month: 1 new and 1 update, and the 6 high notes: 5 of them new and 1 update (those with CVSS greater than or equal to 7).

• The most critical note of the month (with a CVSS of 10) is an update of the usual note related to “Google Chromium“.
• The next in criticality (CVSS 9.1) is a HotNews related to “Code Injection vulnerability in SAP ABA (Application Basis)“.
• The next in criticality (with CVSS 8.8) is a high note related to “Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)“.
• The next in criticality (with CVSS 8.6) is a high note related to “XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures)“.
• The following in criticality (with CVSS 7.6, 7.3, and 7.3 respectively) are related to “Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)”, “Code Injection vulnerability in SAP IDES Systems”, “Improper Certificate Validation in SAP Cloud Connector”, and “Information disclosure vulnerability in SAP GUI for Windows and SAP GUI for Java”.
• This month the most predominant type is related to “Cross-Site Scripting (XSS)” (5/16 on patch day).

In the graph, we can see the classification of the February notes, in addition to the evolution and classification of the last 5 previous months (only the notes from Sec. Tuesday / Patch Day – by SAP).

Full details

The complete detail of the most relevant notes is as follows:

1.  Update -Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. The note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
2. Code Injection vulnerability in SAP ABA (Application Basis) (3420923): An authenticated attacker can exploit a vulnerable interface to perform unauthorized actions, which could compromise data and affect system availability; it is recommended to implement additional measures besides securing the S_RFC authorization object to mitigate this risk in CA-SUR. The solution is to implement support package or remediation instructions. CVSS v3 Base Score: 9,1 / 10 [CVE-2024-22131].
3. Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) (3417627): SAP NetWeaver AS for Java User Admin application has an XSS vulnerability due to insufficient validation and encoding of URL parameters, with high impact on confidentiality and low impact on integrity and availability. CVSS v3 Base Score: 8,8 / 10 [CVE-2024-22126].
4. XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) (3426111): SAP NetWeaver AS Java (CAF – Guided Procedures) has a vulnerability that allows an unauthenticated attacker to access sensitive files and data through a malicious XML request, but cannot modify them. CVSS v3 Base Score: 8,6 / 10 [CVE-2024-24743].
5. Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) (3410875): The print preview option in SAP CRM WebClient has a Cross-Site Scripting vulnerability due to insufficient encryption of user input, which could be exploited by a low-privileged attacker to impact data confidentiality and integrity. CVSS v3 Base Score: 7,6 / 10 [CVE-2024-22130].
6. Code Injection vulnerability in SAP IDES Systems (3421659): SAP IDES ECC systems have a vulnerability that allows the execution of arbitrary program code by the user, which could be exploited by an attacker. The solution involves removing the vulnerable code through changes to the transport and it is recommended not to install the IDES demo system on the same network as the productive environment and to always separate the demo environments from the productive ones, as well as to avoid installing real master data on the IDES system. CVSS v3 Base Score: 7,4 / 10 [CVE-2024-22132].
7. Improper Certificate Validation in SAP Cloud Connector (3424610): Incorrect certificate validation in SAP Cloud Connector allows an attacker to spoof authentic servers, breaking mutual authentication and possibly intercepting requests to view or modify sensitive information. The fix is available as of SAP Cloud Connector 2.16.2, with no impact on system availability. 7,4 / 10 [CVE-2024-22642].
8. Update – Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java (3385711): SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability. 7,3 / 10 [CVE-2023-49580].

Reference links

Other references, from SAP and Onapsis (February):

Digital Library (sap.com)

SAP Patch Day: February 2024 – Onapsis

Resources affected