Enterprise software maker SAP has released its April 2023 security updates for several of its products, which include fixes for two critical-severity vulnerabilities that affect the SAP diagnostics agent and the SAP BusinessObjects platform Business Intelligence.
In total, SAP has released 24 notices, 19 of which relate to new issues of varying importance, and five are updates to previous bulletins.
The three most critical issues resolved this time around are:
- CVE-2023-27267: Insufficient input validation and missing authentication issue impacting OSCommand Bridge of SAP Diagnostics Agent, version 720, allowing an attacker to execute scripts on connected agents and completely compromise the system. (CVSS v3.1 rating: 9.0)
- CVE-2023-28765: Information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence (Promotion Management) platform, versions 420 and 430, allowing an attacker with basic privileges to access and decrypt the lcmbiar file. This would allow the attacker to access platform users’ passwords and take control of their accounts to perform additional malicious actions. (CVSS v3.1 rating: 9.8)
- CVE-2023-29186: Directory traversal flaw affecting SAP NetWeaver versions 707, 737, 747 and 757, allowing an attacker to download and overwrite files on the vulnerable SAP server. (CVSS v3.1 rating: 8.7)
The remaining 11 security flaws disclosed in The Latest SAP Security Bulletin relate to vulnerabilities of low to medium severity.
Although these issues are generally not considered a priority for fixes, they are still used in attacksespecially as part of complex attack chains, so they should be supported nonetheless.
Important Quick Fix
Hackers are always on the lookout for critical-severity flaws in widely deployed products like those from SAP, which are commonplace in large corporate networks.
SAP is the largest ERP vendor in the world, holding 24% of the global market with 425,000 customers in 180 countries. More than 90% of the Forbes Global 2000 uses its ERP, SCM, PLM and CRM products.
In February 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA) urged admins to patch a set of severe vulnerabilities affecting SAP business applications to prevent data theft, ransomware attacks, and disruption of critical processes and operations.
In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to access corporate networks.
Therefore, it is of crucial importance for SAP system administrators to apply available security patches as soon as possible.