Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
October 2022 notes
Summary and highlights of the month
The total number of notes/patches was 22, 6 more than last month. The number of Hot News increased from 1 to 2 this month. On the other hand, it is worth noting that the number of high criticality notes remains the same with a total of 6 this month, the same as in September. As usual we will leave the medium and low grades unreviewed this month, but we will give details of a total of 8 notes (all those with a CVSS of 7 or higher).
We have a total of 22 notes for the whole month, the same as last August (the 17 from Patch Tuesday, 16 new and 1 update, that’s 4 more scores than last month).
We will review in detail 8 of the total 8 high notes and HotNews, both HotNews are new and 5 of 6 high notes would be new (those of CVSS greater than or equal to 7).
- The most critical note of the month (with CVSS 9.9) is a note related to “File path traversal vulnerability in SAP Manufacturing Execution“.
- The next in criticality (with CVSS 9.6) would be the other HotNews, related to “Account hijacking through URL Redirection vulnerability in SAP Commerce login form“.
- The next in criticality (CVSS 8.2, 8.2, 8.1, 7.7, 7.0 and 7.0) are six high notes, one of “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)”, the next is an update of a note released in August, “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB)”, the next one is related to “Buffer Overflow in SAP SQL Anywhere and SAP IQ”, another one is related to “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder)” on the SAP Business platform, another one is related to “Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer” and the last one is related to “Multiple vulnerabilities in SAP 3D Visual Enterprise Author”.
- This month the most predominant types are “Information Disclosure vulnerability” (7/22 and 6/17 in patch day) and “Cross-Site Scripting (XSS)” (4/22 and 2/16 in patch day).
In the graph (post October 2022 from SAP) we can see the classification of the October notes in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
- File path traversal vulnerability in SAP Manufacturing Execution (3242933): SAP Manufacturing Execution allows an attacker to exploit insufficient validation of a file path request parameter. The intended file path can be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory can be read which may lead to information disclosure. CVSS v3 Base Score: 9,9 / 10 [CVE-2022-39802].
- Account hijacking through URL Redirection vulnerability in SAP Commerce login form( 3239152): An attacker can change the content of an SAP Commerce login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system. This is due to multiple URLs on the SAP Commerce OAuth extension login page not being sanitized. This allowed attackers to construct manipulated URLs to the login page that would change the behavior of the login form. In particular, login credentials would be redirected from the SAP Commerce server to an arbitrary server on the Internet. CVSS v3.0 Base Score: 9,1 / 10 [CVE-2022-41204].
- Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) (3229132): Under certain conditions an attacker can get access to OS credentials. Attacker must be authenticated, administrator sees credentials in clear text,normal user sees credentials in encrypted form. Getting access to OS credentials enables the attacker to modify system data and make the system unavailable leading to high impact on confidentiality and low impact on integrity and availability of the application. CVSS v3 Base Score: 8,2 / 10 (CVE-2022-35291).
- Update – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (MonitoringDB) (3213507): In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity and Availability. To fix the problem, Customer need upgrade to SAP Business One FP2202HF1. CVSS v3 Base Score: 8,2 / 10 (CVE-2022-35292).
- Buffer Overflow in SAP SQL Anywhere and SAP IQ (3232021): SAP SQL Anywhere and SAP IQ database servers are vulnerable to a remote unauthenticated stack-based buffer overflow when the server is running with a server debugging option. Impacts of stack-based buffer overflow are, read and modify unauthorized data.vulnerability has a direct impact on availability of a system. CVSS v3 Base Score: 8,1 / 10 [CVE-2022-35299].
- Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder) (3239293): Under certain conditions BOE AdminTools/ BOE SDK allows an attacker to access information which would otherwise be restricted. The note provides a link to knowledge base article 214444559 for the Business Intelligence platform maintenance schedule and strategy. CVSS v3 Base Score: 7.7 / 10 (CVE-2022-39015).
- Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer (3245928): Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Viewer, there is a possibility of following attack scenarios being executed arbitrary code execution, 1. Arbitrary Code Execution can be triggered when payload forces re-use of dangling pointer which refers to overwritten space in memory. The accessed memory must be filled with code to execute the attack. Therefore, repeated success is unlikely. Stack-based buffer overflow. Since the memory overwritten is random, based on access rights of the memory, repeated success is not assured., 2. Denial of service, the application crashes and becomes temporarily unavailable to the user until restart of the application. CVSS v3 Base Score: 7.0 / 10 (Multiple´s CVEs).
- Multiple vulnerabilities in SAP 3D Visual Enterprise Author (3245929): Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Viewer, there is a possibility of following attack scenarios being executed arbitrary code execution, 1. Arbitrary Code Execution can be triggered when payload forces re-use of dangling pointer which refers to overwritten space in memory. The accessed memory must be filled with code to execute the attack. Therefore, repeated success is unlikely. Stack-based buffer overflow. Since the memory overwritten is random, based on access rights of the memory, repeated success is not assured., 2. Denial of service, the application crashes and becomes temporarily unavailable to the user until restart of the application. CVSS v3 Base Score: 7.0 / 10 (Multiple´s CVEs).
Reference links
Other references, from SAP and Onapsis (October):
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://onapsis.com/blog/sap-security-patch-day-october-2022
Resources affected
- SAP 3D Visual Enterprise Author, Version -9
- SAP 3D Visual Enterprise Viewer, Version -9
- SAP Business Objects Platform (MonitoringDB), Version -430
- SAP BusinessObjects Business Intelligence Platform (Program Objects),Versions -420, 430
- SAP BusinessObjects Business Intelligence Platform(Admin Tools/Query Builder),Versions–420, 430
- SAP Commerce, Versions -1905, 2005, 2105, 2011, 2205
- SAP IQ, Version -16.1
- SAP Manufacturing Execution, Versions -15.1, 15.2, 15.3
- SAP SQL Anywhere, Version -17.0