SAP Uncovers Auth Bypass and Request Forgery Vulnerabilities

In their latest update, released on August 13, 2024, SAP disclosed fixing 17 security flaws, among which 6 are considered critical. Though only two of them caught the eyes of security researchers the most: CVE-2024-41730 and CVE-2024-29415. And for a good reason – both have CVSS ratings of 9+, and may lead to painful consequences if exploited by adversaries.

First one, CVE-2024-41730, is an authentication bypass vulnerability that allows adversaries to extract logon tokens to SAP Business Intelligence Platform. This has some requirements to successfully work: the system should have Single Sign On (SSO) enabled for Enterprise authentication. Though, it is pretty common to see these settings enabled, so it should not be that much of an obstacle. And having the auth token for the application effectively means taking over it, with the potential of data leaks and/or malware deployment.

The CVE-2024-29415 flaw, in the case of successful exploitation, may cause server-side request forgery (SSRF). Software fails to interpret some of the IP addresses correctly, considering localhost (127.0.0.1) and similar IPs as globally routable. In simple words, hackers can command the server to connect to the arbitrary IP address, ignoring its current security configurations. Such a trick can result in massive data leaks and infrastructure exposure. It is also worth noting that the flaw likely stems from an incorrect fix of the previous similar vulnerability CVE-2023-42282.

List of critical flaws that SAP fixed in the August 2024 patch

SAP Critical Vulnerabilities – Patches Available

Fortunately for the massive customer base of SAP products, the fixes are available right away. The company likely acknowledged the vulnerabilities quite some time ago, but never disclosed them publicly before having a proper fix. The list of software and versions that contain the fix is exceptionally huge, so if you use SAP, consider checking for updates and installing them right away.

Obviously, with such a large number of fixes, the company does not offer any mitigation instructions. Sure enough, one may say about disabling SSO for Enterprise authentication, but that is a less than favorable option. And overall, mitigations are only good when a proper solution is absent, but in this case it is already there.

The post Critical SAP Auth Bypass and SSRF Flaws Fixed, Update Now appeared first on Gridinsoft Blog.

The other day I talked a little about this vulnerability in the “Update Tuesday” review, which turned out to be quite huge this month.

Back in May this year, experts from the security company Onapsis, specializing in cloud security, discovered the bug. They gave the vulnerability name RECON (an abbreviation for Remotely Exploitable Code On NetWeaver) and it received 10 points out of 10 on the CVSSv3 vulnerability rating scale.

Let me remind you that such an assessment means that the error is extremely easy to use, and its operation requires almost no technical knowledge. The vulnerability can also be used for automated remote attacks and does not require the attacker to already have an account in the SAP application or to know other people’s credentials.

“The bug is in the default component, which is part of all SAP applications running on the Java stack of SAP NetWeaver versions 7.30-7.5. It’s about the LM Configuration Wizard component that is part of the SAP NetWeaver Application Server (AS)”, — said Onapsis experts.

In their report, researchers warned that the problem allows attackers to bypass all access control and authorization tools to create new accounts for SAP applications accessible from the Internet with maximum privileges. In essence, this will give hackers full control over the SAP resources of compromised companies.

Thus, a scan conducted by researchers showed that about 2500 SAP systems that are currently vulnerable to RECON (33% in North America, 29% in Europe and 27% in the Asia-Pacific region) can be found on the network.

“The number of companies threatened by this problem is approximately 40,000, although not all of them expose ”vulnerable applications on the Internet”, – suggested Onapsis experts.

Also this week, SAP engineers fixed another vulnerability, tracked as CVE-2020-6286. This bug allows an unauthorized attacker to upload ZIP files to a specific directory, which ultimately leads to a directory bypass.

Bad Packets warned yesterday that PoC exploits for both of these vulnerabilities have already appeared on GitHub.

“Moreover, have already been noticed the first scans aimed at searching for vulnerable systems,” – warn Bad Packets researchers.

The Bleeping Computer publication notes that the published exploit, fortunately, does not help remote code execution (the researcher did not take the risk of publishing the RCE tool in the public domain), but allows downloading arbitrary ZIP archives from vulnerable systems.

Specialists once again remind all administrators about the need for urgent installation of patches.

The post For RECON vulnerability appeared PoC exploit appeared first on Gridinsoft Blog.

100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day vulnerability in Internet Explorer, which actively used attackers.

Overall, the total number of corrections issued by the company this year accounts 616, and this is almost the same as for the entire 2017.

“This time there were no 0-day vulnerabilities, which means that any of the fixed bugs was under attack”, – said Microsoft engineers.

Of all 129 vulnerabilities, only 11 received critical status (they affect Windows itself, the Edge and Internet Explorer browsers, as well as SharePoint).

Another 109 problems are rated as important (they affected Windows, company’s browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps and Android applications).

The most serious problems this month include:

• CVE-2020-1181 – remote code execution in Microsoft SharePoint
• CVE-2020-1225, CVE-2020-1226 – remote code execution in Microsoft Excel
• CVE-2020-1223 – remote code execution in Word for Android
• CVE-2020-1248 – remote code execution in the Windows Graphics Device Interface (GDI)
• CVE-2020-1281 – remote code execution in Windows OLE
• CVE-2020-1299 – remote code execution when processing .LNK files
• CVE-2020-1300 – remote code execution in the print spooler component
• CVE-2020-1301 – remote code execution in Windows SMB
• CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260 – remote code execution in the VBScript engine

However, not only Microsoft has prepared patches for their products this week. So, the Adobe developers also fixed a number of serious problems in the Flash Player, Framemaker and Experience Manager.

SAP developers released 17 security bulletins and prepared patches for Apache Tomcat (CVE-2020-1938), two bugs in SAP Commerce (CVE-2020-6265, CVE-2020-6264), vulnerabilities in SAP Success Factors (CVE-2020- 6279) as well as issues in NetWeaver (CVE-2020-6275).

Intel has fixed more than 20 different vulnerabilities, including bugs in the Innovation Engine (CVE-2020-8675) and Special Register Buffer (CVE-2020-0543). The latter problem is called CrossTalk, and it allows you to “merge” confidential data from SGX enclaves.

The post On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products appeared first on Gridinsoft Blog.