SAP issued its August 2024 security patch update which included two critical flaws that enable attackers to bypass authentication and fully compromise affected systems. Review the details in this Cybersecurity Threat Advisory to learn how you can protect your SAP environment.
What is the threat?
SAP’s August security update addressed 17 vulnerabilities. Of the 17 vulnerabilities, there are two high-severity flaws that have serious consequences for organizations. The most critical of the two is CVE-2024-41730, rated 9.8 on the CVSS scale. It is classified as a “missing authentication check” and impacts SAP BusinessObjects Business Intelligence Platform versions 430 and 440.
Under the condition where Single Sign-On (SSO) is enabled for Enterprise authentication, an unauthorized user could acquire a logon token via a REST endpoint, effectively bypassing authentication and gaining full access to the system. A successful exploitation of this vulnerability can expose sensitive data and critical business operations to malicious actors.
The second critical vulnerability is CVE-2024-29415, with a CVSS score of 9.1. This flaw represents a server-side request forgery issue in applications built with SAP Build Apps versions older than 4.11.130. This flaw stems from a weakness in the ‘IP’ package for Node.js, which determines whether an IP address is public or private. When using octal representation, it incorrectly identifies ‘127.0.0.1’ as a public and globally routable address. This issue persists due to an incomplete fix for a similar vulnerability, CVE-2023-42282, leaving some cases still vulnerable to attacks.
Why is this noteworthy?
The two critical vulnerabilities highlighted can lead to a significant impact on the confidentiality, integrity, and availability as attackers can completely compromise the system.
Additionally, there are four other high-severity vulnerabilities included:
- CVE-2024-42374: This flaw, with a CVSS score of 8.2, allows an attacker to access information from the SAP ADS system and overload the XMLForm service, making it impossible for SAP ADS to create PDFs.
- CVE-2023-30533: SheetJS Community Edition versions before 0.19.3 have a security issue (CVSS score of 7.8) that lets attackers exploit a specially crafted file to corrupt the software.
- CVE-2024-34688: In SAP NetWeaver AS Java, attackers can exploit unrestricted access to the Meta Model Repository services to launch DoS attacks. This vulnerability, with a CVSS score of 7.5, can block legitimate users from accessing the application. While this does not affect the application’s confidentiality or data integrity, it severely impacts its availability.
- CVE-2024-33003: With this vulnerability (CVSS score of 7.4), some OCC API endpoints in SAP Commerce Cloud allow sensitive information like passwords, email addresses, phone numbers, coupon codes, and voucher codes to be included in the request URL.
What is the exposure or risk?
These vulnerabilities pose a substantial security threat. Organizations relying on SAP products should urgently address these vulnerabilities to safeguard their critical business data and operations. There is currently no report of CVE-2024-41730 being exploited in the wild, however, this does not rule out the possibility that bad actors are in the process of attempting the attack.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate your risk:
- Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.
- Apply missing security patches immediately and institutionalize security patching as part of a periodic process.
- Secure configuration of your SAP landscape.
- Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for suspicious user behavior or indicators of compromise resulting from the exploitation of vulnerabilities.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
References
For more in-depth information about the recommendations, please visit the following links:
- https://cybersecuritynews.com/sap-hackers-bypass-authentication/
- https://www.techtimes.com/articles/307150/20240814/sap-releases-security-patch-17-vulnerabilities-including-missing-authentication-check.htm
- https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.