SAP S/4HANA and Commerce Cloud Critical Vulnerabilities — Patch Now

SAP has released its August 2024 Security Notes, addressing a total of 25 vulnerabilities across its product suite. This update is particularly significant due to the inclusion of several high-priority patches for enterprise-grade applications. According to SecurityWeek, the release includes two vulnerabilities rated as ‘HotNews’—SAP’s highest severity category—and several other high-impact findings affecting S/4HANA and Commerce Cloud.

Technical Analysis of CVE-2024-41730

The most critical CVE addressed this month is CVE-2024-41730, which carries a CVSS score of 9.8. This flaw resides in the SAP BusinessObjects Business Intelligence Platform (versions 430 and 440). The vulnerability stems from a missing authentication check when Single Sign-On (SSO) is enabled. If the cms.ips.ffoe.auth.enable property is active, an unauthorized attacker can exploit this weakness to gain full access to the system.

Given the role of BusinessObjects in handling sensitive corporate analytics and financial data, an exploit could lead to massive data exfiltration or unauthorized modifications. Security teams are currently investigating how to detect CVE-2024-41730 exploit attempts within their environment, which often requires auditing SSO logs and looking for anomalous access patterns to the Central Management Server (CMS).

Understanding the CVE-2024-29415 SSRF Risk

The second ‘HotNews’ item is CVE-2024-29415, a Server-Side Request Forgery (SSRF) vulnerability in SAP Build Code Projects, which has a CVSS score of 9.1. This flaw allows an attacker to manipulate the server into making unauthorized requests to internal or external systems. In a cloud-native or hybrid environment, this can facilitate Lateral Movement or allow the attacker to scan internal network services that are not exposed to the public internet.

SAP S/4HANA security patch guidance

SAP S/4HANA, the cornerstone of many enterprise resource planning (ERP) systems, received multiple updates. Of particular concern is CVE-2024-34688, a Denial of Service (DoS) vulnerability in the Financial Overdue Receivables component. This flaw occurs because the system fails to perform an authorization check, potentially allowing an attacker to exhaust system resources. Additionally, CVE-2024-39591 affects the SAP S/4HANA (Manage Sales Contracts) application, where improper authorization could lead to information disclosure or unauthorized data manipulation.

In the realm of digital commerce, SAP Commerce Cloud vulnerability mitigation is equally urgent. CVE-2024-33003 and CVE-2024-33006 both target the Commerce Cloud platform. CVE-2024-33003 involves improper sandboxing that could lead to information disclosure, while CVE-2024-33006 addresses another information disclosure risk. While these carry lower CVSS scores than the BusinessObjects flaw, they remain attractive targets for attackers seeking to intercept customer data or transaction details.

Mitigation and Defense-in-Depth

Defenders should prioritize the application of SAP Notes 3474590 and 3482722, which address the most critical vulnerabilities. Beyond patching, organizations should adopt a Zero Trust architecture to limit the impact of authentication bypasses. This includes enforcing multi-factor authentication (MFA) and ensuring that SOC teams have integrated SAP logs into their SIEM for real-time monitoring. For those utilizing cloud-based instances, ensuring that EDR solutions are active on the underlying infrastructure can help detect the post-exploitation activities that often follow an initial RCE or authentication bypass.