Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.
In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.
The three most critical issues fixed this time are:
- CVE-2023-27267: Insufficient input validation and missing authentication issue impacting the OSCommand Bridge of SAP Diagnostics Agent, version 720, enabling an attacker to execute scripts on connected agents and fully compromise the system. (CVSS v3.1 score: 9.0)
- CVE-2023-28765: Information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence Platform (Promotion Management), versions 420 and 430, allowing an attacker with basic privileges to gain access to the lcmbiar file and decrypt it. This would enable the attacker to access the platform’s users’ passwords and take over their accounts to perform additional malicious actions. (CVSS v3.1 score: 9.8)
- CVE-2023-29186: Directory traversal flaw impacting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the vulnerable SAP server. (CVSS v3.1 score: 8.7)
The remaining 11 security flaws disclosed in SAP’s latest security bulletin concern low to medium-severity vulnerabilities.
While such issues are generally not considered a priority for patching, they are still leveraged in attacks, especially as part of complex attack chains, so they should be taken care of nonetheless.
Speedy patching important
Hackers are always on the look for critical-severity flaws in widely deployed products like those of SAP, which are commonplace in large corporate networks.
SAP is the largest ERP vendor in the world, having 24% of the global market share with 425,000 customers in 180 countries. Over 90% of the Forbes Global 2000 uses its ERP, SCM, PLM, and CRM products.
In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.
In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to gain access to corporate networks.
Hence, it is crucially important for SAP system administrators to apply the available security patches as soon as possible.
