Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
September 2022 notes
Summary and highlights of the month
The total number of notes/patches was 16, 5 more than last month. The number of Hot News remained the same, with one, the same as in August. On the other hand, it should be noted that the number of high criticality notes increased from 3 to 6 this month. As always, we will leave the medium and low scores unchecked this month, but we will give details of a total of 7 scores (all those with a CVSS of 7 or higher).
We have a total of 16 notes for the whole month, 5 notes more than last August (the 13 from Patch Tuesday, 8 new and 5 updates, are 5 notes more than last month).
We will review in detail 7 of the total of 7 high notes and Hot News, the Hot News being an update of a previous note and the 2 of 6 high notes would be new (those of CVSS greater than or equal to 7).
- The most critical note of the month (with CVSS 10) is the usual note related to “Google Chromium”.
- Next in criticality (CVSS 8.8, 8.1, 7.8, 7.8, 7.7 and 7.1) are six high scores, one related to “Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse”, one related to “Privilege escalation vulnerability” in SAP SuccessFactors, one related to “Windows Unquoted Service Path” in the SAP Business platform, one related to “Central Management Server Information Disaster” in the SAP Business platform, one related to “Central Management Server Information Disaster” in the SAP Business platform, and one related to “Central Management Server Information Disaster” in the SAP Business platform, another one related to “Central Management Server Information Disclosure”, another one related to “Privilege escalation vulnerability” in SAP BusinessObjects Business Intelligence Platform (CMC) and the last one related to “Insufficient Firefighter Session Expiration” in SAP Access Control.
- The rest (9) are medium and low level, and we will not see them in detail.
- This month the most predominant types are “Cross-Site Scripting (XSS) vulnerability” (4/16 and 4/13 in patch day) and “Information Disclosure vulnerability” (4/16 and 2/13 in patch day).
In the graph (post August 2022 from SAP) we can see the classification of the September notes in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
The complete detail of the most relevant notes is as follows:
- Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
- Update – Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse_(3102769): This security note addresses a vulnerability that has been discovered in the SAP Knowledge Warehouse (SAP KW). The use of an SAP KW component within a web browser allows unauthorized attackers to carry out XSS attacks, which could lead to the disclosure of sensitive data. The SAP KW display component does not sufficiently validate and encode the input parameters, resulting in a reflected cross-site scripting issue. To fix the problem, the procedure would be as follows: Deploy the support packages and patches referenced in this SAP release. Workaround: In case you are unable to implement the patch, you have two options to fix the issue, which are described in SAP Note 3221696 «Disabling SAP IKS component». CVSS v3.0 Base Score: 8,8 / 10 (CVE-2021-42063).
- Update – Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) (3226411): Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow an attacker with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow and Benefits. On successful exploitation, the attacker can read/write attachments, compromising the confidentiality and integrity of the application. Customers using attachments in Time Off, Time Sheet, EC Workflow and Benefits modules of SAP SF Mobile Application are impacted. Several measures have been taken to resolve the identified vulnerability in the most recent software update. This vulnerability impacts users who are using the iOS and Android mobile application versions released previous to V8.0.5. For this reason, the SAP SuccessFactors mobile team is releasing an immediate fix to stop the ability to download, upload or preview attachments from the impacted SAP SF Mobile modules at this time. To fix the issue, download the latest version of the SAP SuccessFactors iOS and Android mobile application (V8.0.5) to ensure the organization is not at risk of any threats from this vulnerability. CVSS v3 Base Score: 8,1 / 10 (CVE-2022-35291).
- Windows Unquoted Service Path issue in SAP Business One (3223392): In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity and Availability. To fix the problem, Customer need upgrade to SAP Business One FP2202HF1. CVSS v3 Base Score: 7.8 / 10 (CVE-2022-35292).
- Update – Central Management Server Information Disclosure in Business Intelligence Update (2998510): During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability. To fix this problem, apply the patches contained in the «Support Package Patches» section. CVSS v3 Base Score: 7.8 / 10 (CVE-2022-28214).
- Information Disclosure vulnerability in SAPBusinessObjects Business Intelligence Platform (CMC) (3217303): Under certain conditions Central Management Console (CMC) allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted. To fix this problem, apply the patches contained in the «Support Package Patches» section. CVSS v3 Base Score: 7.7 / 10 (CVE-2022-39014).
- Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management (3237075): SAP GRC Access control Emergency Access Management allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. This attack can be launched only within the firewall. On successful exploitation the attacker can gain access to admin session and completely compromise the application. To solve this issue, implement the correction statement for all plugin systems, where Web Based Firefighter is used. With this fix, the Firefighter session will be detected using SM04 and SM05 information. To correctly retrieve the SM05 data, the RFC user must have the following authorization object assigned: ‘S_ADMI_FCD’, ID: ‘S_ADMI_FCD’ and field: ‘PADM’. The minimum version required to apply the fix is SAP NetWeaver Enhancement Package 2 for 7.0 Support Package Stack 00. Below this level, the fix has no effect and we suggest you upgrade your SAP Basis level. CVSS v3 Base Score: 7.1 / 10 (CVE-2022-39801).
Other references, from SAP and Onapsis (September):
- SAP Access Control, Version – 12
- SAP Business Client, Versions – 6.5, 7.0, 7.70
- SAP Business One, Versions – 10.0
- SAP BusinessObjects Business Intelligence Platform (CMC), Versions – 430
- SAP BusinessObjects Business Intelligence Platform, Versions – 420, 430
- SAP Knowledge Warehouse, Versions – 7.30, 7.31, 7.40, 7.50
- SAP SuccessFactors attachment API for Mobile Application(Android & iOS), Versions <8.0.5