Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
March 2023 notes
Summary and highlights of the month
The total number of notes/patches was 21, 5 less than last month. The number of Hot News increased from 1 to 6 this month. On the other hand, it is worth noting that the number of high criticality notes decreases from 5 to 4. As usual we will leave the medium and low notes unchecked this month, but we will give details of a total of 7 notes (all those with a CVSS of 7 or higher).
We have a total of 21 notes for the entire month (the 19 from Patch Tuesday, the 19 new ones, are 7 grades less than last month).
We will review in detail the 4 high notes, the 4 are new and the 6 HotNews, 1 update and 5 new:
- The most critical notes of the month (with CVSS 9.9) are 3 HotNews, one related to “Code Injection vulnerability in SAP Business Objects Business Intelligence Platform” and another related to “Improper Access Control in SAP NetWeaver AS for Java”, the third, is an update of a note released in December 2022 related to “Improper access control in SAP NetWeaver AS Java (User Defined Search)”.
- Next in criticality (with CVSS 9.6 ) are 2 HotNews, one related to “Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform” and the other related to “Directory traversal vulnerability in SAP ERP and S4HANA”.
- The next criticality score (with CVSS 9.0) is another HotNews, related to “OS command execution vulnerability in SAP Business Objects Business Intelligence Platform”.
- The next one is a high score (with CVSS 8.8) related to “Arbitrary Code Execution in SAP Solution Manager and ABAP managed Systems”.
- The following criticality score (with CVSS 8.7) is a high score related to “Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”.
- The following criticality scores (with CVSS 7.4 and 7.2) are 2 high scores, the first one is a score related to “Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform”, the other one is related to “Memory Corruption vulnerability in SAPOSCOL”.
- This month the most predominant type is “Improper Access Control in SAP NetWeaver” (4/19 in patch day).
In the graph (post March 2023 from SAP) we can see the ranking of the March notes in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
- Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (3245526): In some scenarios, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system. In addition to the solution provided by the patch upload the note contains a workaround. CVSS v3 Base Score: 9,9 / 10 [CVE-2023-25616].
- Improper Access Control in SAP NetWeaver AS for Java (3285757): Due to missing authentication check, SAP NetWeaver Application Server for Java allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making it unresponsive or unavailable. The solution provided by SAP interrupts public access to the LockingService by introducing the required authentication and authorization protection. CVSS v3 Base Score: 9,9 / 10 [CVE-2023-23857].
- Update – Improper access control in SAP NetWeaver Process Integration (User Defined Search) (3273480): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) and make use of an open naming and directory api to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access for user data, to make limited modifications to user data and to degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application. This note has been re-released with updated ‘Causes – Side Effects’ section. CVSS v3 Base Score: 9,9 / 10 [CVE-2022-41272].
- Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (3294595): SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable. In addition to the solution provided by the patch upload the note contains a workaround. CVSS v3 Base Score: 9,6 / 10 [CVE-2023-27269].
- Directory traversal vulnerability in SAP ERP and S4HANA (SAPRSBRO Program) (3302162): An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable. CVSS v3 Base Score: 9,6 / 10 [CVE-2023-27269].
- OS command execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)(3283438): Due to incorrectly escaped parameters in Unix, SAP Business Objects Business Intelligence Platform (Adaptive Job Server) allows an authenticated attacker to execute arbitrary commands over the network. On successful exploitation, the attacker can completely compromise the application, causing high impact of confidentiality, integrity and availability of the application. In addition to the solution provided by the patch upload the note contains a workaround. CVSS v3 Base Score: 9,0 / 10 [CVE-2023-25617].
- Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) (3296476): An attacker authenticated as a user with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attacker can read or modify any user or application data and can make the application unavailable, hence affecting the ABAP managed systems and SAP Solution Manager system. This vulnerability affects systems with Addon ST-PI due to an enhancement concept of AP Solution Manager, Custom Code Lifecycle Management. CVSS v3 Base Score: 8,8 / 10 [CVE-2023-27893].
- Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (3294954): SAP NetWeaver AS for ABAP and ABAP Platform allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity. The problem arises because the input parameter dir_name in function EPS_SEEK_OUTPUT_FILE was not properly checked in case no content was fulfilled. CVSS v3 Base Score: 8,7 / 10 [CVE-2023-27501]].
- Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform (3296346): In SAP NetWeaver AS for ABAP and ABAP Platform, due to improper input controls an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary url which can reveal, modify or make non-sensitive information unavailable, leading to low impact on Confidentiality, Integrity and Availability. CVSS v3 Base Score: 7,4 / 10 [CVE-2023-26459].
- Memory Corruption vulnerability in SAPOSCOL (3275727): SAPOSCOL allows an unauthenticated attacker with network access to a server port assigned to the SAP Start Service to submit a crafted request which results in a memory corruption error. This error can be used to reveal but not modify any technical information about the server. It can also make a particular service temporarily unavailable. By this correction the length of input parameter values is checked. CVSS v3 Base Score: 7,0 / 10 [CVE-2023-27498].
Reference links
Other references, from SAP and Onapsis (March):
SAP Patch Day: March 2023 | Onapsis
Resources affected
- SAP Business Objects (Adaptive Job Server), Versions –420, 430
- SAP Business Objects Business Intelligence Platform (CMC),Versions–420, 430
- SAP Host Agent, Versions –7.22
- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions -700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791
- SAP NetWeaver AS for ABAP and ABAP Platform (SAPRSBRO Program), Versions –700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757
- SAP NetWeaver AS for ABAP and ABAP Platform, Versions -SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791
- SAP NetWeaver AS for Java,Version –7.50
- SAP Solution Manager and ABAP managed systems(ST-PI), Versions -2008_1_700, 2008_1_710 and 740