SAP, the developer of business management software, released a huge security update that fixes numerous vulnerabilities in their software. Among them are severe authentication bypass and server-side request forgery vulnerabilities rated at CVSS 9.8 and 9.1 respectively. The company urges installing updates as soon as possible, as the mentioned flaws affect a substantial number of customers.
SAP Uncovers Auth Bypass and Request Forgery Vulnerabilities
In their latest update, released on August 13, 2024, SAP disclosed fixing 17 security flaws, among which 6 are considered critical. Though only two of them caught the eyes of security researchers the most: CVE-2024-41730 and CVE-2024-29415. And for a good reason – both have CVSS ratings of 9+, and may lead to painful consequences if exploited by adversaries.
First one, CVE-2024-41730, is an authentication bypass vulnerability that allows adversaries to extract logon tokens to SAP Business Intelligence Platform. This has some requirements to successfully work: the system should have Single Sign On (SSO) enabled for Enterprise authentication. Though, it is pretty common to see these settings enabled, so it should not be that much of an obstacle. And having the auth token for the application effectively means taking over it, with the potential of data leaks and/or malware deployment.
The CVE-2024-29415 flaw, in the case of successful exploitation, may cause server-side request forgery (SSRF). Software fails to interpret some of the IP addresses correctly, considering localhost (127.0.0.1) and similar IPs as globally routable. In simple words, hackers can command the server to connect to the arbitrary IP address, ignoring its current security configurations. Such a trick can result in massive data leaks and infrastructure exposure. It is also worth noting that the flaw likely stems from an incorrect fix of the previous similar vulnerability CVE-2023-42282.
List of critical flaws that SAP fixed in the August 2024 patch
| Vulnerability | Severity Score |
|---|---|
| CVE-2024-41730 | 9.8 |
| CVE-2024-29415 | 9.1 |
| CVE-2024-42374 | 8.2 |
| CVE-2023-30533 | 7.8 |
| CVE-2024-34688 | 7.5 |
| CVE-2024-33003 | 7.4 |
SAP Critical Vulnerabilities – Patches Available
Fortunately for the massive customer base of SAP products, the fixes are available right away. The company likely acknowledged the vulnerabilities quite some time ago, but never disclosed them publicly before having a proper fix. The list of software and versions that contain the fix is exceptionally huge, so if you use SAP, consider checking for updates and installing them right away.
Obviously, with such a large number of fixes, the company does not offer any mitigation instructions. Sure enough, one may say about disabling SSO for Enterprise authentication, but that is a less than favorable option. And overall, mitigations are only good when a proper solution is absent, but in this case it is already there.
