SAP has recently fixed 19 vulnerabilities as part of its March 2023 patch day. Five vulnerabilities are rated critical and have also been labeled “hot news” by the vendor.
The critical vulnerabilities affect several versions of the following products:
- SAP Business Objects Business Intelligence Platform (CMC)
- SAP NetWeaver AS for Java
- SAP NetWeaver Application Server for ABAP and ABAP Platform
- SAP NetWeaver AS for ABAP and ABAP Platform (SAPRSBRO Program)
- SAP Business Objects (Adaptive Job Server)
How Do SAP Vulnerabilities Affect?
The first is CVE-2023-23857, an improper access control issue in the Locking Service that could allow an attacker to “attach to an open interface and make use of an open naming and directory API to access services”.
The second issue is CVE-2023-27269, (CVSS score: 9.6) A critical directory traversal problem in SAP NetWeaver Application Server for ABAP (versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791) that allows non-admin users to overwrite system files. During this attack, it is not possible to read any data, but the attacker can potentially overwrite critical operating system files. This could result in the system becoming unavailable.
The fifth hot news note addresses CVE-2023-27500, a directory traversal vulnerability in the SAPRSBRO program in ERP and S4HANA. By disabling the program, SAP no longer allows “non-administrative authorizations to overwrite arbitrary critical OS files”.
Successful exploitation of these issues could allow attackers to execute code remotely, delete arbitrary files at the OS level to make the system unavailable, cause a denial-of-service (DoS) condition, and trigger a memory corruption bug to read technical information about the server.
Leave A Comment