Navigating SAP Security Notes: September 2023 Patch Tuesday

SAP published thirteen new and five updated Security Notes for September 2023 Patch Tuesday. Five of these Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). However, three of them are updates from previously released Security Notes. Additionally, two Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9). For this blog, we will focus on these seven Security Notes, as they pose the greatest severity to customers’ business-critical SAP systems and should be prioritized accordingly.

Newly Released HotNews Security Notes

Security Note 3320355 – [CVE-2023-40622] received a CVSS score of 9.9 and addresses an “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management).” Specifically, the job folder of the Promotion Management component is vulnerable to an Information Disclosure. If successfully exploited, this vulnerability could expose sensitive information within customer systems and enable threat actors to leverage this information in subsequent attacks to entirely compromise the target application’s confidentiality, integrity, and availability. Although this vulnerability is scored as the highest priority and associated risk severity, this vulnerability can only be exploited by an authenticated user. Nonetheless, this score is rationalized by the catastrophic consequences of successful exploitation. As a workaround, SAP advises granting appropriate rights only for the required user to access and perform promotions using Promotion Management. By default, normal users do not have view rights. However, the users of the administrator group should be explicitly denied view rights on the Promotion jobs folder.

Security Note 3340576 – [CVE-2023-40309] received a CVSS score of 9.8 and addresses a “Missing Authorization check in SAP CommonCryptoLib.” The verification of JavaScript Web Tokens (JWT) and raw signatures may fail, resulting in missing or incorrect authorization checks in the calling application. This could lead to an unauthorized escalation of privileges. Depending on the application and the level of acquired privileges, threat actors could gain access to restricted data, modify or delete it, or even compromise the affected application entirely. As a solution, SAP advises customers to download and install CommonCryptoLib 8.5.50 (or higher) to correct this issue. Currently, there is no temporary workaround to mitigate this vulnerability.

Updated HotNews Security Notes

Security Note 2622660 is a regularly recurring patch. It provides “security updates for the [third-party] browser control Google Chromium delivered with SAP Business Client.” This security note aims to fix multiple Chromium web browser control vulnerabilities. If you don’t update your SAP Business Client to the latest patch level, displaying web pages could leave your system vulnerable to memory corruption and information disclosure attacks. Identified impacts of these vulnerabilities include:

• System information disclosure or even system crash in worst-case scenarios.
• Potential direct impacts on system confidentiality, availability, and integrity.
• Exfiltrated information can be leveraged to initiate other attacks, with potentially severe and compounding consequences.

Security Note 3273480 – [CVE-2022-41272] received a CVSS score of 9.9 and addresses “Improper access control in SAP NetWeaver AS Java (User Defined Search).” If successfully exploited, this vulnerability enables threat actors to perform unauthorized operations afflicting users and data across the entire target system. Specifically, attackers can attain full read access to sensitive user data, make limited modifications to user data, and degrade system performance, ultimately leading to a high impact on confidentiality and a limited impact on application integrity and availability. This patch update is only necessary because the Security Note was inadvertently retracted previously. There is no additional customer action required.

Security Note 3245526 – [CVE-2023-25616] received a CVSS score of 9.9 and addresses a “Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC).” This Security Note is an update to a patch initially released in March 2023 to resolve a code injection vulnerability that could allow a threat actor to access sensitive resources through unauthorized, escalated privileges. If successfully exploited, this vulnerability could severely impact system confidentiality, integrity, and availability. As a solution, SAP removed the ‘Use Impersonation’ option from CMC → Application → Central Management Console (CMC) → Program Object Rights. Now, it is automatically considered as selected. This month’s update has been re-released with upgraded patch levels for ‘Support Packages & Patches’ information.

Newly Released High Priority Security Notes

Security Note 3370490 – [CVE-2023-42472] received a CVSS score of 8.7 and addresses “Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface).” Due to insufficient file type validation, a report creator can upload files from the local system into the report over the network. When uploading an image file, an authenticated threat actor could intercept the request and modify the content type and file extension, resulting in unauthorized access to read and modify sensitive system data. If successfully exploited, this vulnerability could result in a high impact on application confidentiality and availability. As a solution, SAP improved the validation to only allow authorized file’s type. There is no workaround available for this vulnerability.

Security Note 3327896 – [CVE-2023-40308] received a CVSS score of 7.5 and addresses a “Memory Corruption vulnerability in SAP CommonCryptoLib.” SAP CommonCryptoLib allows unauthenticated threat actors to craft a request, which causes a memory corruption error in a library when submitted to an open port. As a result, the target component crashes and makes it unavailable, so there is no ability to view or modify any information. More specifically, a manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error, resulting in a crash of the target application. As a solution, SAP advises customers to download and install CommonCryptoLib 8.5.49 (or higher) to resolve this system vulnerability. There is no temporary workaround to mitigate this vulnerability.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability & Code Scanning
• Threat Detection & Response
• Transport Control
• Dynamic Data Masking
• Data Loss Prevention (DLP) & Session Logging

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, and moving forward, we will be releasing a monthly blog covering SAP Patch Tuesday.

To see how Pathlock can help your organization, reach out to set up a demo today.