During its April 2023 Security Patch Day, the German corporate software manufacturer SAP announced a total of 19 new security notes, five of which were classified as “important news” and addressed significant vulnerabilities (2 new flaws: CVE-2023 -27497 and CVE -2023-28765 and 3 updates).
The vulnerability in SAP Diagnostics Agent known as CVE-2023-27497, which has a CVSS score of 10, is the most severe of all (OSCommand Bridge and EventLogServiceCollector). An adversary can execute malicious scripts on all connected diagnostic agents running on Windows if the SAP Diagnostics Agent EventLogServiceCollector, version 720, does not perform authentication or code input sanitization. This vulnerability was discovered in SAP Diagnostics Agent version 720. If the exploit is effective, the attacker has the potential to completely compromise not only the confidentiality of the system, but also its integrity and availability.
An attacker can use CVE-2023-27267 to run scripts on connected diagnostic agents by exploiting the lack of authentication and poor input validation in the OSCommand Bridge of SAP Diagnostics Agent version 720. This flaw can be found in the OSCommand Bridge. A successful exploit has the potential to result in a complete system breach.
An attacker with basic rights in SAP BusinessObjects Business Intelligence Platform (Promotion Management), versions 420, 430 can exploit the issue to gain access to the lcmbiar file and then decrypt the file using CVE-2023-28765. Once an attacker has gained access to a Business Intelligence (BI) user’s credentials, she can undertake activities that, depending on the BI user’s rights, can fully compromise the program.
This month, SAP also revealed that it would release a high-priority security note that would patch a hole in SAP NetWeaver.
The remaining eleven security notes that SAP issued this week deal with vulnerabilities that are classified as medium or low severity.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies like Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad