The enterprise software vendor SAP has released several security updates for its products, two of which concern critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform. SAP is the largest Enterprise Resource Planning (ERP) vendor in the world with over 425,000 customers in 180 countries. Over 90% of the Fortune 2000 companies utilize SAP. In the past, vulnerabilities in SAP software have been seen being exploited in the wild.
In these April updates, SAP released a total of 24 notes, 19 of which concern new issues and 5 of which are updates to previous issues. The two critical vulnerabilities fixed in these updates are as follows:
- CVE-2023-28765 (CVSS 9.8) – Information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence Platform, versions 420 and 430, which allows an attacker with basic privileges to gain access to the lcmbiar file and decrypt it. This enables the attacker to access the platform’s users’ passwords and take over their accounts to perform additional malicious actions.
- CVE-2023-27267 (CVSS 9.0) – Insufficient Input validation and missing authentication vulnerabilities in the OSCommand Bridge of SAP Diagnostics Agent, version 720, which enables attackers to execute scripts on connected agents for full compromise
On top of these two critical severity vulnerabilities being patched, the high-severity CVE-2023-29186 with a CVSS Score of 8.7 was also patched – this vulnerability impacts versions 707,737,747, and 757 of SAP NetWeaver and allows an attacker to upload and overwrite files on the vulnerable SAP Server.
As organizations grow larger, they typically begin to employ more 3rd party software in their environment to assist with everyday tasks. While this is often done to save on costs and time, and makes sense from a business perspective, from a security perspective this opens up a potential avenue for a new attack to be carried out from. With 3rd party software becoming a larger part of many organizations’ toolsets, it is also becoming a larger target for many threat actors. If a threat actor can find a vulnerability in a 3rd party tool or compromises the tool or parent organization as a whole, they are now able to subsequently exploit this against a large subset of additional organizations.
From a defense standpoint, the best protection against vulnerabilities in 3rd party software is to have a robust threat intelligence program and adequate patching schedule. This will ideally allow for all vulnerabilities to be patched before they can be exploited. However, on top of this, this also demonstrates the need to employ a defense-in-depth detection strategy. This will allow for detection of an attack at a different part of the attack chain if a vulnerability is to go unpatched and gets exploited.