SAP, a well-known commercial software provider, has disclosed three new vulnerabilities in its Security Patch Day release for November 2023. In addition, three previously revealed security vulnerabilities have had their security notes updated.
Background:
CVE-2023-31403, an Improper Access Control vulnerability affecting SAP Business One, is the most serious of the recently discovered vulnerabilities.
SAP Business One is an Enterprise Resource Planning (ERP) tool that helps businesses manage financials, purchasing, inventories, sales, customer interactions, analytics, and more.
The second piece of Hot News is an update to a Security Note that was posted on September 2023 Patch Day, the issue being tracked as CVE-2023-40309 (CVSS score 9.8), which is a missing authorization check in SAP CommonCryptoLib.
CVE-2023-31403:
The CVE-2023-31403 vulnerability has a critical CVSS rating of 9.6 and is classified as an Improper Access Control vulnerability. It has an impact on SAP Business One version 10.0. SAP has classified this vulnerability as ‘Hot News’ in its bulletin.
According to the SAP advice, the specific installation fails to perform sufficient authentication and authorization checks for the SMB shared folder, which results in the vulnerability. Because of this error, anonymous users can read and write to the SMB shared folder.
Crystal Report (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service, and BAS (file upload folder) are all affected.
Furthermore, the files included within the folder can be executed or used by the installation process, posing a substantial risk to confidentiality, integrity, and availability.
CVE-2023-40309:
CVE-2023-40309, also referred to as Hot News, has a critical CVSS score of 9.8 and was first revealed and patched in September 2023 as part of SAP’s Patch Day. The vulnerability is caused by a missing authorization check, and it affects SAP CommonCryptoLib and many other SAP products.
In particular, SAP CommonCryptoLib fails to execute appropriate authentication checks, which may result in missing or inaccurate permission checks for an authenticated user, potentially leading to privilege escalation.
It is important to note that, depending on the application and the level of privileges obtained, an attacker may be able to exploit functionality restricted to a certain user group and access, edit, or delete restricted data, potentially leading to the entire compromise of the affected application.
Other Vulnerabilities:
CVE-2023-41366 and CVE-2023-42480 are the final two new security notes, both of which are medium-severity vulnerabilities (CVSS scores of 5.3). These are Information Disclosure flaws in NetWeaver Application Server ABAP and ABAP Platform, as well as NetWeaver AS Java Logon.
The patches also include CVE-2023-42477, a medium-severity vulnerability, and another that does not have a CVE name (with CVSS scores of 6.5 and 6.3). CVE-2023-42477 is a Server-Side Request Forgery (SSRF) vulnerability in NetWeaver AS Java, whereas the other flaw in Sybase products allows Cross-Site Request Forgery (CSRF).
The remaining security bulletins address four medium-severity flaws. The entire list of concerns addressed by SAP Security Note #3355658 is provided below.
| SAP Note | Type | Description | Priority | CVSS |
|---|---|---|---|---|
| 2494184 | Update | Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products BC-SYB-SQA | Medium | 6.3 |
| 3355658 | New | [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation SBO-CRO-SEC | Hot News | 9.6 |
| 3362849 | New | [CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CST-IC | Medium | 5.3 |
| 3366410 | New | [CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon BC-JAS-SEC | Medium | 5.3 |
| 3333426 | Update | [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) BC-JAS-ADM-MON | Medium | 6.5 |
| 3340576 | Update | [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib BC-IAM-SSO-CCL | Hot News | 9.8 |
Recommendations:
Security note 3340576 contains a remedy for SAP Business One version 10.0 SP 2308, and installations on lower support package (SP) levels are also vulnerable to CVE-2023-31403. There are no solutions, and SAP recommends upgrading to SAP Business One 10.0 SP 2308 and installing the offered solution.