Notas de Seguridad SAP, Febrero 2023

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas Febrero 2023

Resumen y highlights del Mes

El número total de notas/parches ha sido de 26, 14 más que el mes pasado. El número de Hot News disminuye, pasando de 7 a 1 en este mes. Por otro lado, cabe destacar que el número de notas de criticidad alta aumenta pasando de 0 a 5. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 7 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 26 notas para todo el mes (las 26 del patch Tuesday, 21 nuevas y 5 actualizaciones, son 14 notas más que el pasado mes).

Revisaremos en detalle las 5 notas altas, de las que 3 son nuevas y 2 son actualizaciones y la HotNews, que se trata de una actualización:

1. La nota más crítica del mes (con CVSS 10) es la habitual nota relacionada con «Google Chromium».
2. Las siguientes en criticidad (con CVSS 8,8) son 2 notas altas, una relacionada con “Privilege Escalation vulnerability in SAP Start Service” y la otra relacionada con “Code Injection vulnerability in SAP BASIS”, esta última nota se trata de una actualización de una nota lanzada en el Patch Day diciembre de 2022.
3. Las siguientes 2 notas en criticidad (con CVSS 8,5) son 2 notas altas, una relacionada con “Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform” y la otra relacionada con “Privilege escalation vulnerability in SAP Business Planning and Consolidation”, esta última nota se trata de una actualización de una nota lanzada en el Patch Day diciembre de 2022.
4. La siguiente nota en criticidad (con CVSS 8,4) se trata de una nota alta, relacionada con “Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC)”
5. Este mes el tipo más predominante es “Cross-Site Scripting (XSS)” (10/26 en patch day).

En la gráfica (post febrero 2023 de SAP) podemos ver la clasificación de las notas de febrero además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open-source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open-source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
2. Privilege Escalation vulnerability in SAP Start Service (3285757): An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent Service can submit a specially crafted webservice request with an operating system command which will be executed with administrator privileges.  The OS command can read or modify any user or system data and can make the system unavailable. CVSS v3 Base Score: 8,8 / 10 [CVE-2023-24523].
3. Update – Code Injection vulnerability in SAP BASIS (3268172): Due to unrestricted scope of the RFC function module, SAP BASIS allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing high impact on integrity of the application. The update adds that this note is also relevant if you do not use a HANA database on your system. The correction instruction in this note simply deactivates the obsolete but critical code.CVSS v3 Base Score: 8,8 / 10 [CVE-2022-41264].
4. Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform (3263135): SAP BusinessObjects Business Intelligence platform allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application. CVSS v3 Base Score: 8,5 / 10 [CVE-2023-0020].
5. Update – Privilege escalation vulnerability in SAP Business Planning and Consolidation (3271091): In some SAP standard roles in SAP Business Planning and Consolidation, a transaction code reserved for customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data. The update simply adds minor text changes. No changes requiring customer intervention have been made. CVSS v3 Base Score: 8,5 / 10 [CVE-2022-41268].
6. Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) (3256787): SAP BusinessObjects Business Intelligence Platform (CMC) allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application. The note contains a workaround. CVSS v3 Base Score: 8,4 / 10  [CVE-2023-24530].

Enlaces de referencia

Otras referencias, en inglés de SAP y Onapsis (febrero):

Digital Library (sap.com)

SAP Patch Day: February 2023 (onapsis.com)

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

• SAP Business Client, Versions – 6.5, 7.0, 7.70
• SAP Business Planning and Consolidation,Versions–SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810
• SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP), Versions -420, 430
• SAP BusinessObjects Business Intelligence platform (CMC), Versions -420, 430
• SAP Host Agent Service, Versions -7.21, 7.22
• SAPBASIS, Versions –731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791