Notas de Seguridad SAP, Abril 2023

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas Abril 2023

Resumen y highlights del Mes

El número total de notas/parches ha sido de 24, 3 más que el mes pasado. El número de Hot News disminuye, pasando de 6 a 5 en este mes. Por otro lado, cabe destacar que el número de notas de criticidad alta disminuye pasando de 4 a 1. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 6 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 24 notas para todo el mes (las 24 del patch Tuesday, 19 nuevas y 5 actualizaciones, son 5 notas más que el pasado mes).

Revisaremos en detalle la nota alta, que es nueva y las 5 HotNews, 3 actualizaciones y 2 nuevas:

1. Las notas más críticas del mes (con CVSS 10) son 2 HotNews, una relacionada con “Multiple vulnerabilities in SAP Diagnostics Agent” y la otra es una actualización de la nota habitual relacionada con «Google Chromium».
2. La siguiente en criticidad (con CVSS 9,9) es una actualización de una HotNews lanzada en diciembre de 2022, relacionada con “Improper access control in SAP NetWeaver AS Java”.
3. Las siguientes notas en criticidad (con CVSS 9,8 y 9,6) son 2 HotNews, la primera relacionada con “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform”, la segunda se trata de una actualización de una nota lanzada el pasado mes de marzo 2023, relacionada con “Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”.
4. La siguiente en criticidad es la nota alta (con CVSS 8,7) relacionada con “Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)”.
5. Este mes el tipo más predominante es “Code Injection vulnerability” (4/24 en patch day).

En la gráfica (post abril 2023 de SAP) podemos ver la clasificación de las notas de abril además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas SAP más relevantes es el siguiente (en inglés):

1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. The note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
2. Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)( 3305369): This note lists 2 vulnerabilities in SAP Diagnosis Agent both derived from Unauthenticated RCE, one related to EventLogServiceCollector which allows an attacker to execute malicious scripts on all connected Diagnosis Agents running on Windows and the other due to lack of authentication and insufficient input validation, the OSCommand bridge allows to execute malicious scripts on all connected Diagnosis Agents running on all operating systems, both vulnerabilities compromise the confidentiality, integrity and availability of the system. CVSS v3 Base Score: 10 / 10 [CVE-2023-27497].
3. Update – Improper access control in SAP NetWeaver AS Java (User Defined Search) (3273480): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) and make use of an open naming and directory api to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access for user data, to make limited modifications to user data and to degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application. The note has been re-released to provide the fix to SP026 for version 7.50. CVSS v3 Base Score: 9,9 / 10 [CVE-2022-41272].
4. Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )( 3298961): The encrypted information stored in the lcmbiar file can be read due to the lack of password protection causing an attacker to gain access to the BI user’s passwords and depending on the BI user’s privileges, the attacker can perform operations that can completely compromise the application. CVSS v3 Base Score: 9,8 / 10 [CVE-2023-28765].
5. Update – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (3294595): SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.  In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable. In addition to the solution provided by the patch upload the note contains a workaround. This note has been re-released with updated ‘Solution’ information. CVSS v3 Base Score: 9,6 / 10 [CVE-2023-27269].
6. Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON) (3305907): Insufficient authority checks and file validations before executing the file upload in BI_CONT causes an attacker can exploit a Directory Traversal vulnerability in a report to upload and overwrite files on the SAP server. Base Score: 8,7 / 10 [CVE-2023-29186].

Enlaces de referencia

Otras referencias, en inglés de SAP y Onapsis (abril):

Digital Library (sap.com)

SAP Security Patch Day – April 2023 | Onapsis

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

• SAP Business Client, Versions -6.5, 7.0, 7.70
• SAP BusinessObjects Business Intelligence Platform (Promotion Management,Versions–420, 430
• SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector),Version –720
• SAP NetWeaver (BI CONT ADDON), Versions -707, 737, 747, 757
• SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions -700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791
• SAP NetWeaver Process Integration, Version –7.50