SAP Security Notes, September 2023

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

September 2023 notes

Summary and highlights of the month

The total number of notes/patches has been 18, the same as last month. The number of Hot News notes has been 5, which is 3 more than last month. On the other hand, it is worth noting that the number of high-criticality notes has decreased from 8 to 2. As always, we will leave medium and low-criticality notes unchecked this month, but we will provide details for a total of 7 notes (all with a CVSS score of 7 or higher).

We have a total of 18 notes for the entire month (the 18 from Patch Tuesday, 13 new and 5 updates, which is the same number of notes as last month’s Patch Tuesday).

We will review in detail 7 out of the total 7 high-criticality and Hot News notes, 2 of the 5 Hot News notes are new, and the 2 high-criticality notes would be new (those with a CVSS score greater than or equal to 7).

1. The most critical note of the month (with a CVSS score of 10) is an update to the usual note related to “Google Chromium.“
2. The next critical notes (with CVSS 9.9) include 3 Hot News notes, 1 new, related to “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management),” and the other 2 are updates, one published last March, related to “Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)” and the other published in December 2022 related to “Improper access control in SAP NetWeaver AS Java (User Defined Search).”
3. The next critical note (with CVSS 9.8) is related to “Missing Authorization check in SAP CommonCryptoLib.”
4. The next critical note (with CVSS 8.7) is a high-criticality note related to “Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface).“
5. The next critical note (with CVSS 7.5) is a high-criticality note related to “Memory Corruption vulnerability in SAP CommonCryptoLib.”
6. This month, the most predominant type is “Code Injection” (3 out of 18 on Patch Day).

In the graph (post-September 2023 for SAP), we can see the classification of the notes for September, as well as the evolution and classification of the last 5 previous months (only the notes from Sec. Tuesday/Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. The note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
2. Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)(3320355): under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted. On successful exploitation, the attacker can completely compromise the application causing high impact on confidentiality, integrity, and availability. Note contains a workaround .CVSS v3 Base Score: 9,9 / 10 [CVE-2023-40622].
3. Update – Improper access control in SAP NetWeaver AS Java (User Defined Search) (3273480): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) and make use of an open naming and directory api to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access for user data, to make limited modifications to user data and to degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application. CVSS v3 Base Score: 9,9 / 10 [CVE-2022-41272].
4. Update – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (3245526): In some scenarios, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. In addition to the solution provided by the patch upload, the note contains a workaround also the note has been re-released with updated Support Packages & Patches information. CVSS v3 Base Score: 9,9 / 10 [CVE-2023-25616].
5. Missing Authorization check in SAP CommonCryptoLib (3340576): SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. CVSS v3 Base Score: 9,8 / 10 [CVE-2023-40309].
6. Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) (3370490): Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) allows a report creator to upload files from local system into the report over the network. When uploading the image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data causing a high impact on confidentiality and integrity of the application. CVSS v3 Base Score: 8,7 / 10 [CVE-2023-42472].
7. Memory Corruption vulnerability in SAP CommonCryptoLib (3327896): SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.. CVSS v3 Base Score: 7,5 / 10 [CVE-2023-40308].

Reference links

Other references, from SAP and Onapsis (September):

Digital Library (sap.com)

SAP Security Patch Day for September 2023 (onapsis.com)

Resources affected