Critical SAP flaw allows remote attackers to bypass authentication
SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system.
The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a “missing authentication check” bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions.
“In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” reads the vendor’s description of the flaw.
“The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”
The second critical (CVSS v3.1 score: 9.1) vulnerability addressed this time is CVE-2024-29415, a server-side request forgery flaw in applications built with SAP Build Apps older than version 4.11.130.
The flaw concerns a weakness in the ‘IP’ package for Node.js, which checks whether an IP address is public or private. When octal representation is used, it falsely recognizes ‘127.0.0.1’ as a public and globally routable address.
This flaw exists due to an incomplete fix for a similar issue tracked as CVE-2023-42282, which left some cases vulnerable to attacks.
Of the remaining fixes listed in SAP’s bulletin for this month, the four that are categorized as “high severity” (CVSS v3.1 score: 7.4 to 8.2) are summarized as follows:
- CVE-2024-42374 – XML injection issue in the SAP BEx Web Java Runtime Export Web Service. It affects versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
- CVE-2023-30533 – Flaw related to prototype pollution in SAP S/4 HANA, specifically within the Manage Supply Protection module, impacting library versions of SheetJS CE that are below 0.19.3.
- CVE-2024-34688 – Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, specifically affecting the Meta Model Repository component version MMR_SERVER 7.5.
- CVE-2024-33003 – Vulnerability pertaining to an information disclosure issue in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.
Apply updates now
With SAP being the world’s largest ERP vendor and its products used in over 90% of the Forbes Global 2000 list, hackers are always looking for critical authentication bypass flaws that could enable them to access highly valuable corporate networks.
In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to patch severe vulnerabilities in SAP business applications to prevent data theft, ransomware, and disruptions to mission-critical operations.
Threat actors exploited unpatched SAP systems between June 2020 and March 2021 to infiltrate corporate networks in at least 300 cases.