SAP Security Patch Day – April 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

The SAP April Security Patch release included 24 Security Notes, 19 of which contain notes with a variety of severity levels and the remaining five relate to previous bulletin updates. The patch release includes remediations for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform. The two critical vulnerabilities have been classified as:

CVE-2023-27267 (CVSS v3.1 score: 9.0) which concerns two flaws in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector). The security issue has arisen due to an insufficient input validation.
CVE-2023-28765(CVSS v3.1 score: 9.8), which has surfaced as a result of an information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence Platform (Promotion Management).

Of note, SAP also disclosed a high-severity vulnerability, tracked as CVE-2023-29186(CVSS v3.1 score: 8.7), impacting SAP NetWeaver and is the result of a directory traversal flaw.

At the time of writing, no active exploitation has been documented regarding the security flaws reported on.

The full list of vulnerabilities can be found within the SAP Security Patch Day Document.

 Impact

– Successful exploitation of CVE-2023-27267 provides a threat actor with knowledge of the target system to the extent that they could execute scripts on all connected Diagnostics Agents. This allows the threat actor to completely compromise the confidentiality, integrity and availability of the target system.
– Successful exploitation of CVE-2023-28765 would provide a threat actor with basic privileges to gain access to the lcmbiar file and decrypt it. This would enable the threat actor to access the platform’s users’ passwords and hijack their accounts to perform additional malicious operations.
– Successful exploitation of CVE-2023-29186 allows threat actors to upload and overwrite files on the vulnerable SAP server.

Vulnerability Detection

Security patches for these vulnerabilities have been released by SAP. Previous versions therefore remain vulnerable to potential exploitation.

Affected Products

CVE-2023-27267 – SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector) – version 720
CVE-2023-28765 – SAP BusinessObjects Business Intelligence Platform (Promotion Management), versions 420 and 430
CVE-2023-29186 – SAP NetWeaver versions 707, 737 and 747

Containment, Mitigations & Remediations

These vulnerabilities are known to be leveraged in attacks and, as such, the relevant patches should be applied as soon as possible. These can be found at the [SAP Software Download page](https://support.sap.com/en/my-support/software-downloads.html).

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

SAP is the largest Enterprise Resource Planning (ERP) vendor in the world, with 24% of the total market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, SAP products have become a prime target. More than 90% of the Forbes Global 2000 organisations use the SAP product range and they are therefore an integral aspect of business operations. As such, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

CVE-2023-27267 Common Weakness Enumeration:
CWE-306– Missing Authentication for Critical Function

CVE-2023-28765 Common Weakness Enumeration:
CWE-200 – Exposure of Sensitive Information to an Unauthorised Actor

CVE-2023-29186 Common Weakness Enumeration:
CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Further Information

SAP Advisory