Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.
Notas enero 2024
Resumen y highlights del Mes
Este mes el número total de notas/parches ha sido de 14, tan solo 1 más que el mes pasado. Este mes ha habido 2 HotNews, mientras que el mes anterior hubo tan solo 1. En cuanto al número de notas de criticidad alta, se han reducido en 1 para el mes actual, pasando de 4 a 3. Las notas medias y bajas no serán revisadas, por lo que daremos detalle de un total de 5 notas (todas las que tengan un CVSS de 7 o mayor).
Tenemos un total de 14 notas para todo el mes (las 14 del patch Tuesday, son nuevas, por lo que no hay actualizaciones).
Revisaremos en detalle un total de 5 notas, las 3 notas altas y las 2 HotNews:
-
Las notas más críticas del mes (con CVSS 9,9) son las dos HotNews, relacionadas con “Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform” y “Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework)”
-
La siguiente en criticidad (CVSS 8,8) se trata de una nota relacionada con “SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”.
-
La siguiente en criticidad (CVSS 8,7) se trata de una nota relacionada con “Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform”.
-
La siguiente en criticidad (CVSS 7,8) se trata de una nota relacionada con “DLL Hijacking vulnerability in SAPSetup”.
-
Este mes el tipo más predominante está relacionado con “Information Disclosure vulnerability” (6/14 en patch day).
En la gráfica podemos ver la clasificación de las notas de enero, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):
Detalle completo
El detalle completo de las notas más relevantes es el siguiente (en inglés):
-
Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (3537476): SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. CVSS v3 Base Score 9,9/ 10 [CVE-2025-0070]
-
Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework) (3550708): Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application. CVSS v3 Base Score 9,9/ 10 [CVE-2025-0066]
-
SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (3550816): SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability. There is a Workaround. CVSS v3 Base Score 8,8/ 10 [CVE-2025-0063]
-
Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform (3474398): This Security note addresses two vulnerabilities in SAP BusinessObjects Business Intelligence Platform. The vulnerability details with a CVSS more than 7 is in Information Disclosure [CVE-2025-0061]. This document talks about SAP BusinessObjects Business Intelligence Platform that allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify data of user in the application.. CVSS v3 Base Score 8,7/ 10 [CVE-2025-0061]
-
DLL Hijacking vulnerability in SAPSetup (3542533): Due to DLL injection vulnerability in SAPSetup, an attacker with either local user privileges or with access to a compromised corporate user’s Windows account could gain higher privileges. With this, he could move laterally within the network and further compromise the active directory of a company. This leads to high impact on confidentiality, integrity and availability of the Windows server. CVSS v3 Base Score 7,8/ 10 [CVE-2025-0069]
Enlaces de referencia
Referencias, en inglés de SAP y Onapsis (enero):
SAP Security Patch Day – January 2025
SAP Patch Day: January 2024 – Onapsis
Recursos afectados
El listado completo de los sistemas/componentes afectados es el siguiente:
-
SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 2025
-
SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13, 9.14
-
SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913, SAP_BASIS 914
-
SAPSetup, Version – LMSAPSETUP 9.0
-
SAP NetWeaver Application Server Java, Version – WD-RUNTIME 7.50
-
SAP GUI for Windows, Versions – BC-FES-GUI 8.0
-
SAP GUI for Java, Versions – BC-FES-JAV 7.80
-
SAP NetWeaver AS JAVA (User Admin Application), Version – ENGINEAPI 7.50, SERVERCORE 7.50, UMEADMIN 7.50