SAP Patch Day: 19 Security Updates Released to Address Critical Vulnerabilities
SAP vulnerabilities were a key focus during the September Patch Day, with multiple security updates released to enhance the protection of SAP systems. The updates addressed various critical issues, including cross-site scripting and missing authorization checks, highlighting SAP's commitment to ensuring the security of its systems.
Key Vulnerabilities Addressed
In September 2024, SAP released nineteen new and updated security notes aimed at addressing vulnerabilities in various systems. Among these were updates to one HotNews note and one High Priority note.
HotNews Note #3479478
The HotNews Note #3479478, rated with a CVSS score of 9.8, focuses on a missing authentication check vulnerability in SAP BusinessObjects Business Intelligence Platform. This vulnerability posed a risk of unauthorized access to critical data. Initially released in August, the updated note provided workaround solutions for users unable to apply the patch immediately and extended the fix to the Enterprise software release 420.
High Priority Note #3459935
The High Priority Note #3459935, with a CVSS score of 7.4, addresses an information disclosure vulnerability in SAP Commerce Cloud. This issue required a revision of the patch, updating the recommended fix from Release 2211.27 to Release 2211.28.
Collaboration with Onapsis Research Labs
Onapsis Research Labs contributed significantly to resolving SAP vulnerabilities during the September Patch Day, assisting SAP in identifying and patching twelve issues across seven security notes. Thomas Fritsch, Manager of Content and Technical Research at Onapsis, emphasized the importance of ongoing collaboration with SAP to ensure swift identification and resolution of critical vulnerabilities. This collaboration helped address various security threats that could have potentially impacted SAP customers.
Cross-Site Scripting Vulnerabilities
One of the most critical areas addressed was Cross-Site Scripting vulnerabilities in eProcurement on S/4HANA and the CRM Blueprint Application Builder Panel. These vulnerabilities were documented in SAP Security Notes #3497347 and #3501359, with both rated at a CVSS score of 6.1. Weak input validation in these systems could have allowed attackers to inject malicious scripts, enabling unauthorized access to information. The timely patches implemented by SAP reduce the risk of such attacks, improving the security of user data.
Missing Authorization Checks
Another key vulnerability patched was a missing authorization check in SAP Production and Revenue Accounting, covered in SAP Security Note #3488341. This issue allowed unauthorized users to access sensitive information through a remote-enabled function module. With the patch in place, SAP now restricts access to authorized users only, reducing the likelihood of unauthorized data disclosure.
Additional Vulnerabilities in RFC-Enabled Function Modules
Furthermore, SAP Security Note #3488039 addressed six additional vulnerabilities in RFC-enabled function modules, which had the potential to disrupt users' access to SAP GUI. One particular vulnerability, tracked under CVE-2024-45285, could have allowed a low-privileged attacker to block a specific user from accessing SAP GUI by sending a crafted packet. SAP’s patch effectively closes this security loophole by preventing external access to these vulnerable modules.
Vulnerabilities in Specialized SAP Systems
Additional vulnerabilities were addressed in specialized SAP systems. For instance, SAP Security Note #3505293, with a CVSS score of 4.3, corrected an authorization issue in SAP for Oil & Gas. This vulnerability allowed non-administrative users to delete data entries, potentially disrupting business processes. By applying the necessary authorization checks, SAP has ensured that only authorized users can alter the data, safeguarding the integrity of the system.
Information Disclosure Vulnerabilities in SAP BW (BEx Analyzer)
Information disclosure vulnerabilities in SAP BW (BEx Analyzer) were also patched in SAP Security Notes #3481588 and #3481992. These issues allowed attackers to gain unauthorized access to sensitive data through the network. SAP’s patches ensure that only authenticated users can view such information, significantly lowering the risk of data breaches.
Continued Commitment to Security
Although no new HotNews or High Priority Notes were introduced, the updates provided solutions to several critical issues, particularly in the areas of cross-site scripting and missing authorization checks. By continuing to prioritize security, SAP ensures that its customers can rely on their systems without fear of exploitation or data loss. The September Patch Day is a testament to SAP's commitment to proactive security measures, ensuring that its customers' systems are protected from the evolving threat landscape.
Conclusion: Staying Ahead of the Curve
The September Patch Day highlights the importance of staying ahead of the curve in terms of cybersecurity. SAP's proactive approach to addressing vulnerabilities is crucial in protecting organizations from potential attacks. By applying these patches promptly, organizations can mitigate risks and ensure the security of their sensitive data. It's important for all SAP users to stay informed about security updates and apply patches as soon as possible to maintain a strong security posture.