SAP Security Notes, July 2023

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

July 2023 notes

Summary and highlights of the month

The total number of notes/patches was 18, 5 more than last month. The number of Hot News increased from 0 to 2 this month. On the other hand, it is worth noting that the number of high criticality notes increases, going from 4 to 7. As usual we will leave the medium and low notes unreviewed this month, but we will give details of a total of 9 notes (all those with a CVSS of 7 or higher).

We have a total of 18 notes for the whole month (the 18 from patch Tuesday, 16 new ones and 2 updates, that’s 5 more scores than last patch Tuesday).

We will review in detail 9 of the total 9 high notes and HotNews, 1 of the 2 HotNews is new and 6 of 7 high notes would be new (those of CVSS greater than or equal to 7).

1. The most critical note of the month (with CVSS 10) is an update of the usual note related to “Google Chromium”.
2. The next most critical note (with CVSS 9.1) is a HotNew related to “OS command injection vulnerability in SAP ECC and SAP S/4HANA“.
3. The next criticality score (with CVSS 8.7) is related to “Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)“.
4. The following note in criticality (with CVSS 8,6), “Request smuggling and request concatenation vulnerability in SAP Web Dispatcher“.
5. The following criticality note (with CVSS 8.2), is an update of a note published last June, related to “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)“.
6. The following criticality scores (with CVSS 7.8 and 7.7) are two high scores, one related to “Denial of service (DOS) vulnerability in SAP SQL Anywhere” and the other to “Memory Corruption vulnerability in SAP Web Dispatcher“.
7. The following criticality scores (with CVSS 7.2), are two high scores, one related to “Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) and the other to “Header Injection in SAP Solution Manager (Diagnostic Agent)“.
8. This month the most predominant type is “Injection vulnerability” (3/18 in patch day).

In the graph (post July 2023 from SAP) we can see the ranking of the July notes in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

• Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. The note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
• OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (3350297): Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system. CVSS v3 Base Score: 9,1 / 10 [CVE-2023-36922].
• Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) (3331376): An attacker with non-administrative authorizations can exploit a directory traversal flaw to over-write system files. Data from confidential files cannot be read but potentially some OS files can be over-written leading to system compromise. CVSS v3 Base Score: 8,7 / 10 [CVE-2023-33989].
• Request smuggling and request concatenation vulnerability in SAP Web Dispatcher (3233899): This note has two attack scenarios:

Scenario 1: CVSS Score: 8,6/10: In SAP NetWeaver AS ABAP and SAP Web Dispatcher an unauthenticated attacker can submit a maliciously crafted request over a network to a front-end server which may, over a number of attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages resulting in execution of malicious payloads which can be used to make it temporarily unavailable, leading to considerable impact on availability.

Scenario 2: CVSS Score: 8,1/10: In SAP NetWeaver AS ABAP and SAP Web Dispatcher an unauthenticated attacker can submit a maliciously crafted request over a network to a front-end server which may, over non-predictive number of attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages resulting in execution of malicious payloads which can be used to read or modify information on the server or make it temporarily unavailable, leading to a limited impact on confidentiality and availability but considerable impact on availability.

CVSS v3 Base Score: 8,6 / 10 [CVE-2023-33987].

• Update – Stored Cross-Site Scripting (Stored XSS) vulnerability in UI5 Variant Management (3324285): UI5 Variant Management does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and also can cause unavailability of the application at user level. This note requires manual activities for implementation. This note has been re-released with updated ‘Solution’ information CVSS v3 Base Score: 8,2 / 10 [CVE-2023-33991].
• Denial of service (DOS) vulnerability in SAP SQL Anywhere (3331029): SAP SQL Anywhere allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects. CVSS v3 Base Score: 7,8 / 10 [CVE-2023-33990].
• Memory Corruption vulnerability in SAP Web Dispatcher (3340735): The SAP Web Dispatcher has a vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption through logical errors in memory management this may leads to information disclosure or system crashes, which can have low impact on confidentiality and high impact on the integrity and availability of the system. The issue affects the standalone SAP Web Dispatcher, the SAP Web Dispatcher integrated in the ASCS instance, the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP and the Web Dispatcher integrated in SAP HANA. The vulnerability affects only the HTTP/2 protocol. CVSS v3 Base Score: 7,7 / 10 [CVE-2023-35871].
• Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) (3352058): SAP Solution Manager (Diagnostics agent) allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach.. CVSS v3 Base Score: 7,2 / 10 [CVE-2023-36925].
• Header Injection in SAP Solution Manager (Diagnostic Agent) (3348145): SAP Solution Manager(Diagnostics agent) allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application. CVSS v3 Base Score: 7,2 / 10 [CVE-2023-36921].

Reference links

Other references, from SAP and Onapsis (July):

Digital Library (sap.com)

SAP Security Patch Day: July 2023 | Onapsis

Resources affected