SAP has issued its August 2024 security patch package, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to completely compromise the system.
This vulnerability, identified as CVE-2024-41730 and assigned a severity score of 9.8 under the CVSS v3.1 system, is a “missing authentication check” flaw affecting SAP BusinessObjects Business Intelligence Platform versions 430 and 440, and can be exploited under specific conditions.
According to SAP’s description of the flaw, “In SAP BusinessObjects Business Intelligence Platform, if Single Sign-On is enabled for Enterprise authentication, an unauthorized user can obtain a logon token using a REST endpoint.”
“The attacker could fully compromise the system, severely impacting confidentiality, integrity, and availability.”
The second critical vulnerability addressed in this patch, CVE-2024-29415, has a CVSS v3.1 score of 9.1 and involves a server-side request forgery flaw in applications built with SAP Build Apps older than version 4.11.130.
This flaw is related to a weakness in the ‘IP’ package for Node.js, which incorrectly identifies ‘127.0.0.1‘ as a public and globally routable IP address when octal representation is used.
This issue persists due to an incomplete fix for a similar flaw (CVE-2023-42282), leaving some cases vulnerable to attacks.
Additionally, SAP’s bulletin for this month highlights four other vulnerabilities categorized as “high severity” (CVSS v3.1 score: 7.4 to 8.2), which are:
- CVE-2024-42374 – An XML injection vulnerability in the SAP BEx Web Java Runtime Export Web Service, affecting versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
- CVE-2023-30533 – A prototype pollution issue in SAP S/4 HANA, specifically within the Manage Supply Protection module, impacting library versions of SheetJS CE below 0.19.3.
- CVE-2024-34688 – A Denial of Service (DoS) vulnerability in SAP NetWeaver AS Java, particularly affecting the Meta Model Repository component version MMR_SERVER 7.5.
- CVE-2024-33003 – An information disclosure vulnerability in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.
Apply updates now
As the world’s largest ERP vendor, with products utilized by over 90% of companies on the Forbes Global 2000 list, SAP is a prime target for hackers seeking critical authentication bypass flaws that could grant them access to valuable corporate networks.
In February 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) strongly urged administrators to patch severe vulnerabilities in SAP business applications to prevent data theft, ransomware attacks, and disruptions to mission-critical operations.
Between June 2020 and March 2021, threat actors exploited unpatched SAP systems to infiltrate corporate networks in at least 300 instances.
Source: BleepingComputer, Bill Toulas