SAP has rolled out a critical security update addressing 17 vulnerabilities, including two high-severity flaws that could potentially lead to severe consequences for organizations. The most critical issue, CVE-2024-41730, could allow unauthorized access to SAP BusinessObjects Business Intelligence Platform systems.

Critical Authentication Bypass Vulnerability

One of the most concerning issues resolved in this patch is the critical vulnerability tracked as CVE-2024-41730. This flaw, rated 9.8 on the CVSS v3.1 scale, is classified as a "missing authentication check" bug. 

It impacts SAP BusinessObjects Business Intelligence Platform versions 430 and 440, and under specific conditions, it can be exploited by remote attackers.

If Single Sign-On (SSO) is enabled on Enterprise authentication, an unauthorized user could obtain a logon token using a REST endpoint, effectively bypassing authentication and gaining full access to the system. This vulnerability could potentially expose sensitive data and critical business operations to malicious actors.

Related Article: Almost 2.7 Billion Data Records From National Public Data Leaked in Hacking Forum

Server-Side Request Forgery in SAP Build Apps

According to Bleeping Computer, another critical issue addressed in this update is CVE-2024-29415, a server-side request forgery (SSRF) flaw found in SAP Build Apps versions older than 4.11.130. With a CVSS v3.1 score of 9.1, this vulnerability poses a significant threat to SAP applications.

The flaw arises from a weakness in the 'IP' package for Node.js, which incorrectly identifies the IP address '127.0.0.1' as public and globally routable when expressed in octal notation. This incorrect classification can allow attackers to manipulate IP addresses, leading to unauthorized access and potential exploitation of the system.

This vulnerability is a result of an incomplete fix for a similar issue, CVE-2023-42282, which left some cases vulnerable to exploitation.

High-Severity Vulnerabilities in SAP Products

In addition to the critical vulnerabilities, SAP's August 2024 security bulletin also addresses several high-severity issues, with CVSS v3.1 scores ranging from 7.4 to 8.2. These include:

• CVE-2024-42374: An XML injection vulnerability in SAP BEx Web Java Runtime Export Web Service, affecting versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5.
• CVE-2023-30533: A prototype pollution flaw in SAP S/4 HANA's Manage Supply Protection module, impacting library versions of SheetJS CE below 0.19.3.
• CVE-2024-34688: A Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, specifically targeting the Meta Model Repository component version MMR_SERVER 7.5.
• CVE-2024-33003: An information disclosure issue in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211.

The Importance of Timely Updates

Given SAP's status as the world's largest ERP vendor, with its products being used by over 90% of the Forbes Global 2000 companies, these vulnerabilities represent a significant security risk. 

Hackers are continually searching for critical flaws that allow them to access corporate networks, and unpatched systems are prime targets. The urgency of applying these updates cannot be overstated. 

In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a strong warning, urging administrators to patch severe vulnerabilities in SAP applications to prevent data breaches, ransomware attacks, and disruptions to vital business operations.

Between June 2020 and March 2021, threat actors exploited unpatched SAP systems in over 300 documented cases, infiltrating corporate networks and causing significant damage. 

To protect against such threats, it is crucial for organizations to stay updated with SAP's security patches and apply them promptly.

Read Also: Hackers Can Watch Your Screen Through This New Technique, Researchers Warn