A recent surge in critical vulnerabilities has prompted SAP to release its August 2024 security patch update. The SAP update addresses 17 new vulnerabilities that could allow attackers to bypass authentication altogether and gain complete control of affected systems.
These vulnerabilities, identified as CVE-2024-41730 and CVE-2024-29415, are rated 9.8 and 9.1, respectively, on the CVSS (Common Vulnerability Scoring System) scale, indicating a severe risk of exploitation.
SAP Update in Detail
According to SAP’s official security notes (August 2024 update), CVE-2024-41730 affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440. This vulnerability stems from a “missing authentication check” within a REST endpoint. If a system with Single Sign-On (SSO) enabled is exploited, an unauthorized user could potentially obtain a valid login token, granting them full access to the system.
“In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” reads the vendor’s description of the flaw.
“The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”
Meanwhile, CVE-2024-29415 poses a threat to applications built with SAP Build Apps (versions older than 4.11.130). This vulnerability is classified as a server-side request forgery (SSRF) flaw and originates from a weakness in the ‘IP’ package for Node.js. A successful exploit could allow attackers to execute arbitrary code on the targeted system, potentially leading to complete system takeover.
Any organization using SAP BusinessObjects Business Intelligence Platform versions 430 or 440, or applications built with SAP Build Apps older than version 4.11.130, are at risk. It’s crucial to identify the specific versions of these products used within your organization to determine vulnerability.
High Severity SAP Vulnerabilities
Of the remaining fixes listed in SAP’s bulletin for this month, the four that are categorized as “high severity” (CVSS v3.1 score: 7.4 to 8.2) are summarized as follows:
- CVE-2024-42374 – XML injection issue in the SAP BEx Web Java Runtime Export Web Service. It affects versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
- CVE-2023-30533 – Flaw related to prototype pollution in SAP S/4 HANA, specifically within the Manage Supply Protection module, impacting library versions of SheetJS CE that are below 0.19.3.
- CVE-2024-34688 – Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, specifically affecting the Meta Model Repository component version MMR_SERVER 7.5.
- CVE-2024-33003 – Vulnerability pertaining to an information disclosure issue in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.
Recommendations for Businesses
Here’s what you can do to protect your systems:
-
- Update Immediately: SAP has released patches to address both vulnerabilities. The highest priority should be updating all affected systems to the latest versions as soon as possible.
- Review Security Configurations: Double-check your security configurations, particularly those related to Single Sign-On (SSO) and access controls.
- Stay Informed: Subscribe to security advisories from SAP and relevant cybersecurity publications to stay updated on the latest threats and vulnerabilities.
- Consider Additional Security Measures: Implementing multi-factor authentication (MFA) and network segmentation can add further layers of protection to your systems.
The vulnerabilities in SAP Build Apps demonstrate the importance of supply chain security. Businesses should consider the security posture of third-party software vendors and implement measures to mitigate risks associated with integrated solutions.
These recent vulnerabilities serve as a stark reminder of the ever-evolving cyber threat landscape. By prioritizing timely patching, implementing strong security controls, and fostering a culture of cybersecurity awareness within the organization, businesses can significantly reduce their risk of falling victim to these attacks. Patching vulnerabilities is just one piece of the puzzle; a comprehensive security strategy is essential to protect your valuable data and critical systems.
