WARNING: CRITICAL VULNERABILITIES IN MULTIPLE SAP PRODUCTS
Vulnerability in Chromium browser control
CVE-2023-36922
CVE-2023-33989
Sources
SAP Security Patch Day July 2023 - https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
SAP note 2622660 - https://me.sap.com/notes/2622660
SAP note 3350297 - https://me.sap.com/notes/3350297
SAP note 3331376 - https://me.sap.com/notes/3331376
Risks
Vulnerability in Chromium browser control
Failing to update SAP Business Client to the latest patch could lead to different security risks when displaying web pages such as information disclosure and system crash among other risks.
Enterprise resource planning (ERP) software
By successfully exploiting CVE-2023-36922, an authenticated attacker could inject an arbitrary operating system command into an unprotected parameter of a vulnerable transaction and program. This would allow the attacker to read or modify data as well as shut down the system.
By successfully exploiting CVE-2023-33989, a threat actor could read potential OS files which can be overwritten for compromising the system.
These vulnerabilities are independent from each other and can be exploited separately.
Description
Vulnerability in Chromium browser control
Chromium is an open-source software used in many browsers. Browser control for SAP Business Client uses Chromium. Security corrections for this browser control are shipped with SAP Business Client patches.
If the latest patch of SAP Business Client is not applied, displaying web pages via this open-source browser can lead to different security risks such as, but not limited to, information disclosure, memory consumption, system crash, weakening the confidentiality, integrity and availability of systems.
Entreprise resource planning (ERP) software
SAP ECC and S/4HANA (IS-OIL) are enterprise resource planning (ERP) software within SAP Business Suite. While SAP ECC is an on-prem ERP system, S/4HANA is a cloud-based ERP. These softwares rely on SAP NetWeaver, a technology platform that allows users to manage integrating various applications.
CVE-2023-36922
There is a programming error in a function module or report in certain versions of SAP NetWeaver ABAP (IS-OIL) that can be exploited. It could allow an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. If successfully exploited, the attacker can then read or modify the system data as well as shut down the system.
CVE-2023-33989
There is a directory traversal flaw in certain versions of SAP NetWeaver (BI CONT ADD ON) that an attacker with non-administrative authorizations can exploit to overwrite system files. When this happens, data from confidential files cannot be read but some OS files can potentially be overwritten, thus leading to system compromise.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends system administrators to take the following actions:
• Patch your systems after thorough testing according to the vendors instructions.
Chromium-based browser control
Refer to SAP note 2622660 (referenced below) to find the most recent SAP Business Client version and/or patch that contains the most current stable major release of the Chromium browser control.
CVE-2023-36922
Apply the available patch as indicated in Note 3350297 (referenced below). To access the advisory, you must be logged in with a valid SAP ID.
CVE-2023-33989
Apply the available patch as indicated in Note 3331376 (referenced below). To access the advisory, you must be logged in with a valid SAP ID.
References
Note 2622660 - https://me.sap.com/notes/2622660
Note 3350297 - https://me.sap.com/notes/3350297
Note 3331376 - https://me.sap.com/notes/3331376