Notas de Seguridad SAP, Septiembre 2023

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas Septiembre 2023

Resumen y highlights del Mes

El número total de notas/parches ha sido de 18, las mismas que el mes pasado. El número de Hot News ha sido de 5, 3 más que el mes pasado. Por otro lado, cabe destacar que el número de notas de criticidad alta disminuye, pasando 8 a 2. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 7 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 18 notas para todo el mes (las 18 del patch Tuesday, 13 nuevas y 5 actualizaciones, son el mismo número de notas que el pasado patch Tuesday).

Revisaremos en detalle 7 del total de 7 notas altas y HotNews, 2 de las 5 HotNews son nuevas y las 2 notas altas serían nuevas (aquellas de CVSS mayor o igual a 7).

1. La nota más crítica del mes (con CVSS 10) es una actualización de la nota habitual relacionada con «Google Chromium».
2. Las siguientes notas en criticidad (con CVSS 9,9), son 3 HotNews, 1 nueva, relacionada “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)”, las otras 2 son actualizaciones, una publicada el pasado mes de marzo, relacionada con “Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)” y la otra publicada en diciembre de 2022 relacionada con “Improper access control in SAP NetWeaver AS Java (User Defined Search)”.
3. La siguiente nota en criticidad (con CVSS 9,8), está relacionada con “Missing Authorization check in SAP CommonCryptoLib”
4. La siguiente nota en criticidad (con CVSS 8,7), se trata de una nota alta relacionada con “Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)”
5. La siguiente nota en criticidad (con CVSS 7,5), se trata de una nota alta relacionada con “Memory Corruption vulnerability in SAP CommonCryptoLib”
6. Este mes el tipo más predominante es “Code Injection” (3/18 en patch day).

En la gráfica (post septiembre 2023 de SAP) podemos ver la clasificación de las notas de septiembre además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1. 1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. The note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
   2. Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)(3320355): under certain condition allows an authenticated attacker to view sensitive information which is otherwise restricted. On successful exploitation, the attacker can completely compromise the application causing high impact on confidentiality, integrity, and availability. Note contains a workaround .CVSS v3 Base Score: 9,9 / 10 [CVE-2023-40622].
   3. Update – Improper access control in SAP NetWeaver AS Java (User Defined Search) (3273480): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) and make use of an open naming and directory api to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access for user data, to make limited modifications to user data and to degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application. CVSS v3 Base Score: 9,9 / 10 [CVE-2022-41272].
   4. Update – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (3245526): In some scenarios, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. In addition to the solution provided by the patch upload, the note contains a workaround also the note has been re-released with updated Support Packages & Patches information. CVSS v3 Base Score: 9,9 / 10 [CVE-2023-25616].
   5. Missing Authorization check in SAP CommonCryptoLib (3340576): SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data. CVSS v3 Base Score: 9,8 / 10 [CVE-2023-40309].
   6. Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) (3370490): Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) allows a report creator to upload files from local system into the report over the network. When uploading the image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data causing a high impact on confidentiality and integrity of the application. CVSS v3 Base Score: 8,7 / 10 [CVE-2023-42472].
   7. Memory Corruption vulnerability in SAP CommonCryptoLib (3327896): SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.. CVSS v3 Base Score: 7,5 / 10 [CVE-2023-40308].

Enlaces de referencia

Referencias, en inglés de SAP y Onapsis (septiembre):

Digital Library (sap.com)

SAP Security Patch Day for September 2023 (onapsis.com)

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

• AP CommonCryptoLib, Versions–8
• SAP Business Client, Versions -6.5, 7.0, 7.70
• SAP Business Objects Business Intelligence Platform (CMC),Versions–420, 430
• SAP BusinessObjects Business Intelligence Platform (Promotion Management), Versions–420,430
• SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface),Versions –420
• SAP CommonCryptoLib, Versions–8
• SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, Versions -KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.22, KERNEL 8.04, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64UC 8.04, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT
• SAP NetWeaver Process Integration, Version –7.50
• SAP Web Dispatcher, Versions -7.22EXT, 7.53, 7.54, 7.77, 7.85, 7.89
• SAP_EXTENDED_APP_SERVICES 1, XS_ADVANCED_RUNTIME 1.00
• SAPContent Server, Versions -6.50, 7.53, 7.54
• SAPExtended Application Services and Runtime (XSA), Versions -SAP_EXTENDED_APP_SERVICES 1, XS_ADVANCED_RUNTIME 1.00
• SAPHANA Database, Versions –2.0
• SAPHost Agent, Versions –722
• SAPSSOEXT, Versions –17