Navigating SAP Security Notes: February 2024 Patch Tuesday

SAP published thirteen new and three updated Security Notes for February 2024 Patch Tuesday. Compared to January’s SAP Security Patch Day release, this month’s release contains a similar number of patches and overall severity. Two Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). One of the HotNews notes is new, and one is an update to a previously released note.

Additionally, six Security notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), with five of them being new notes and one being an update to a previously released note. For this blog, we will focus on the eight most critical Security Notes, two with a HotNews priority rating and six with a High Priority rating.

Newly Released HotNews Security Note

Security Note 3420923 – [CVE-2024-22131] received a CVSS score of 9.1 and addresses a “Code Injection vulnerability in SAP ABA (Application Basis).” Specifically, a threat actor authenticated as a user with a remote execution authorization can use a vulnerable interface. Exploiting this vulnerability enables attackers to use the interface to invoke an application function to perform actions they are not permitted to execute.

This patch addresses the vulnerability by adjusting the authorization object S_RFC to implement a secure-by-default configuration. If customers are using the remote capabilities of the Web Survey feature, they must adjust the configuration for this check to remediate the vulnerability. A threat actor could read or modify any user and business data depending on the specific function executed. If this vulnerability is left unpatched and is successfully exploited, there will be a high impact on system availability, with the potential for the entire system to be completely unavailable.

As a temporary workaround, SAP suggests reviewing your settings regarding authorization object S_RFC and not allowing remote calls to function modules of CA-SUR. Please keep in mind that this workaround is only a temporary fix and will disable the remote capability of the component.

Updated HotNews Security Note

Security Note 2622660 is a regularly recurring patch and provides “security updates for the browser control Google Chromium delivered with SAP Business Client.” This security note addresses numerous vulnerabilities in the 3rd party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead to vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:

• System information disclosure or even system crash in worst-case scenarios.
• Potential direct impacts on system confidentiality, availability, and integrity.
• Exfiltrated information can be leveraged to initiate other attacks, with potentially severe and compounding consequences.

This month’s update is the 44th update to this Security Note and includes revised ‘Solution’ and ‘Support Packages & Patches’ information. Specifically, this patch remediates thirty-three chromium vulnerabilities in total, including twenty-six High Priority vulnerabilities. The maximum CVSS score of all fixed vulnerabilities is 8.8.

This Security Note was first released in April 2018 and has been continuously updated since then. Since this patch is recurring almost monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.

Newly Released High Priority Security Notes

Security Note 3417627 – [CVE-2024-22126] received a CVSS score of 8.8 and addresses a “Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application).” Specifically, the User Admin application of SAP NetWeaver AS for Java insufficiently validates and improperly encodes incoming URL parameters before including them in redirect URLs. If successfully exploited, the result is a Cross-Site Scripting (XSS) vulnerability that poses a risk of unauthorized access or even data theft. If left unpatched, there will be a high impact on system confidentiality and a mild impact on system integrity and availability. As a solution, SAP recommends applying the correction according to the “Validity” and “Support Packages & Patches” sections in this Security Note.

Security Note 3426111 – [CVE-2024-24743] received a CVSS score of 8.6 and addresses an “XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures).” Specifically, this note patches an XML External Entity (XXE) injection vulnerability that allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which, when parsed, will enable the threat actor to attain read access to sensitive files and data. However, the attacker cannot modify the sensitive files and data. As a solution, SAP securely reconfigured the XML parser to prevent external entities from being part of an incoming XML document.

As a temporary workaround, SAP suggests these steps: In NetWeaverAdministrator ➡ Java System Properties, choose the configuration template, and in the Filters tab, add the filter to disable the caf~eu~gp~model~iforms~eap application ➡ Restart the NetWeaver. SAP advises customers to assess the workaround applicability for their SAP landscape prior to implementation. It is important to note that this workaround is a temporary fix and is not a permanent solution. Further, SAP strongly recommends that customers apply the corrections outlined in the security note to properly patch this vulnerability, which can be done in lieu of the workaround or after the workaround is implemented.

Security Note 3410875 – [CVE-2024-22130] received a CVSS score of 7.6 and addresses a “Cross Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI).” Specifically, the print preview option in SAP CRM WebClient UI insufficiently encodes user-controlled inputs, resulting in the XSS vulnerability. If this vulnerability is left unpatched and is successfully exploited, an attacker with low privileges can have a limited impact on the confidentiality and integrity of application data. As a solution, SAP ensured that the data is now properly encoded to prevent a successful XSS attack. SAP advises customers to apply the Correction Instructions or upgrade to the corresponding Support Packages referenced in the Security Note.

Security Note 3421659 – [CVE-2024-22132] received a CVSS score of 7.4 and addresses a “Code Injection vulnerability in SAP IDES Systems.” This vulnerability only affects SAP IDES systems. These systems contain code that permits the execution of arbitrary program code of the user’s choice. Specifically, by executing malicious code, an attacker can use the program to control the behavior of the system. If this vulnerability is left unpatched and is successfully exploited, the attacker can escalate privileges, resulting in a low impact on system confidentiality, integrity, and availability. As a solution, this patch addresses the vulnerability by deleting a program that allows the execution of arbitrary program code. Additionally, SAP advises customers to import the attached transport request into the IDES ECC systems and not to install the IDES demo system in the same network as your production environment. SAP also suggests that customers do not have real master data (e.g., client copies of productive systems) set up in the IDES system.

The following is only a temporary fix and not a permanent solution, but as a workaround, SAP suggests customers:

• Deactivate or delete the report ZZOAFAIN manually.
• Make sure to have a strong authorization concept also for IDES test systems.

Security Note 3424610 – [CVE-2024-25642] received a CVSS score of 7.4 and addresses “Improper Certificate Validation in SAP Cloud Connector.” Specifically, this vulnerability allows an attacker to impersonate the genuine servers that interact with the SAP Cloud Connector, breaking the mutual authentication mechanism. If this vulnerability is successfully exploited, an attacker can intercept requests to view and/or modify sensitive information. If left unpatched, there will be a high impact on system confidentiality and integrity but no impact on system availability.

Updated High Priority Security Note

Security Note 3385711 – [CVE-2023-49580] received a CVSS score of 7.3 and addresses an “Information disclosure vulnerability in SAP NetWeaver Application Server ABAP.” This patch is an update to a previously released Security Note and was updated with a revised title, symptom section, and reason and prerequisite section to give more precise information about the vulnerability. Specifically, SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to access information that would typically be restricted and confidential. An unauthenticated attacker could also create Layout configurations of the ABAP list viewer. If this vulnerability is left unpatched and successfully exploited, there will be a low impact on system confidentiality, integrity, and availability, which could also increase the response time of the AS ABAP. This patch addresses the vulnerability by ensuring that a proper check for the authentication of the user is in place and SAP GUI for Windows and SAP GUI for Java will not disclose information to unauthenticated attackers anymore.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability Management
• Code Scanning
• Transport Control
• Threat Detection and Response
• Dynamic Access Controls (DAC)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization with timely Patch Management, reach out to set up a demo today.