Article Details
Scrape Timestamp (UTC): 2024-08-13 21:43:22.076
Original Article Text
Click to Toggle View
Critical SAP flaw allows remote attackers to bypass authentication. SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system. The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions. "In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint," reads the vendor's description of the flaw. "The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability." The second critical (CVSS v3.1 score: 9.1) vulnerability addressed this time is CVE-2024-29415, a server-side request forgery flaw in applications built with SAP Build Apps older than version 4.11.130. The flaw concerns a weakness in the 'IP' package for Node.js, which checks whether an IP address is public or private. When octal representation is used, it falsely recognizes '127.0.0.1' as a public and globally routable address. This flaw exists due to an incomplete fix for a similar issue tracked as CVE-2023-42282, which left some cases vulnerable to attacks. Of the remaining fixes listed in SAP's bulletin for this month, the four that are categorized as "high severity" (CVSS v3.1 score: 7.4 to 8.2) are summarized as follows: Apply updates now With SAP being the world's largest ERP vendor and its products used in over 90% of the Forbes Global 2000 list, hackers are always looking for critical authentication bypass flaws that could enable them to access highly valuable corporate networks. In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to patch severe vulnerabilities in SAP business applications to prevent data theft, ransomware, and disruptions to mission-critical operations. Threat actors exploited unpatched SAP systems between June 2020 and March 2021 to infiltrate corporate networks in at least 300 cases.
Daily Brief Summary
SAP's August 2024 security update addresses 17 vulnerabilities, including critical issues.
A severe flaw, CVE-2024-41730, affects SAP BusinessObjects Business Intelligence Platform and could allow system compromises.
The critical vulnerability, with a CVSS v3.1 rating of 9.8, enables unauthorized users to exploit single sign-on settings to obtain access tokens.
Another significant flaw, CVE-2024-29415, involves server-side request forgery in SAP Build Apps, stemming from an IP address validation error.
CVE-2024-29415, rated at 9.1 by CVSS v3.1 scores, followed an incomplete fix of an earlier issue, making certain applications still vulnerable to attacks.
The updates also include fixes for four high-severity vulnerabilities rated between 7.4 and 8.2.
SAP software is crucial for many global corporations, and the patched flaws were critical to preventing potential data theft, ransomware attacks, and operational disruptions.
Historical data shows threat actors have actively exploited such vulnerabilities, with over 300 corporate network infiltrations noted in less than a year.