SAP vulnerabilities were a key focus during the September Patch Day, with multiple security updates released to enhance the protection of SAP systems.
In September 2024, SAP released nineteen new and updated security notes aimed at addressing vulnerabilities in various systems. Among these were updates to one HotNews note and one High Priority note. The HotNews Note #3479478, rated with a CVSS score of 9.8, focuses on a missing authentication check vulnerability in SAP BusinessObjects Business Intelligence Platform, which posed a risk of unauthorized access to critical data. Initially released in August, the updated note provided workaround solutions for users unable to apply the patch immediately and extended the fix to the Enterprise software release 420.
The High Priority Note #3459935, with a CVSS score of 7.4, addresses an information disclosure vulnerability in SAP Commerce Cloud. This issue required a revision of the patch, updating the recommended fix from Release 2211.27 to Release 2211.28. SAP’s proactive measures in issuing these updates highlight the importance of continuous security reviews to mitigate risks and protect sensitive data.
Onapsis Research Labs contributed significantly to resolving SAP vulnerabilities during the September Patch Day, assisting SAP in identifying and patching twelve issues across seven security notes. Thomas Fritsch, Manager of Content and Technical Research at Onapsis, emphasized the importance of ongoing collaboration with SAP to ensure swift identification and resolution of critical vulnerabilities. This collaboration helped address various security threats that could have potentially impacted SAP customers.
One of the most critical areas addressed was Cross-Site Scripting vulnerabilities in eProcurement on S/4HANA and the CRM Blueprint Application Builder Panel. These vulnerabilities were documented in SAP Security Notes #3497347 and #3501359, with both rated at a CVSS score of 6.1. Weak input validation in these systems could have allowed attackers to inject malicious scripts, enabling unauthorized access to information. The timely patches implemented by SAP reduce the risk of such attacks, improving the security of user data.
Another key vulnerability patched was a missing authorization check in SAP Production and Revenue Accounting, covered in SAP Security Note #3488341. This issue allowed unauthorized users to access sensitive information through a remote-enabled function module. With the patch in place, SAP now restricts access to authorized users only, reducing the likelihood of unauthorized data disclosure.
Furthermore, SAP Security Note #3488039 addressed six additional vulnerabilities in RFC-enabled function modules, which had the potential to disrupt users’ access to SAP GUI. One particular vulnerability, tracked under CVE-2024-45285, could have allowed a low-privileged attacker to block a specific user from accessing SAP GUI by sending a crafted packet. SAP’s patch effectively closes this security loophole by preventing external access to these vulnerable modules.
Further SAP Vulnerabilities Patched in September
Additional vulnerabilities were addressed in specialized SAP systems. For instance, SAP Security Note #3505293, with a CVSS score of 4.3, corrected an authorization issue in SAP for Oil & Gas. This vulnerability allowed non-administrative users to delete data entries, potentially disrupting business processes. By applying the necessary authorization checks, SAP has ensured that only authorized users can alter the data, safeguarding the integrity of the system.
Information disclosure vulnerabilities in SAP BW (BEx Analyzer) were also patched in SAP Security Notes #3481588 and #3481992. These issues allowed attackers to gain unauthorized access to sensitive data through the network. SAP’s patches ensure that only authenticated users can view such information, significantly lowering the risk of data breaches.
Although no new HotNews or High Priority Notes were introduced, the updates provided solutions to several critical issues, particularly in the areas of cross-site scripting and missing authorization checks. By continuing to prioritize security, SAP ensures that its customers can rely on their systems without fear of exploitation or data loss.