SAP Security Patch Day 03/2023

“March 2023 Patch Day”

If you look at the high-priority (i.e. CVSS > 8) security notes from the month of March 2023, many different vulnerability types are represented: “Code Injection”, incorrect authorization  checks, “Directory Traversal” and “OS Command Execution” – something for every attacker, you might think. With the filter on our SAP HCM system or the installed products and components, 7 of the original 28 notes remain as installable.

Directory Traversal 

In the case of a directory traversal vulnerability, an attacker can read or overwrite data from unintended files by manipulating file or path information, and thus, for example, disrupt the operation of the system. The normally intended countermeasure against directory traversal vulnerabilities is performed via input validation (see also note 14970031).  In the case from note 3294595 such an input validation was already built in – but its result (field sy-subrc) was previously evaluated incorrectly. 

Notes 3294954 (Perform an additional authorization check) and 3302162 (shut down the report completely) have a different approach than the input validation. However, this is also a useful safeguard – the notes were accordingly implemented without any problems.

Generic module execution

In note 3296476, several RFC-capable function modules are affected in which there is generic module execution – specifically, the name of a called function module can be supplied by the caller. Even if only a few alternatives come into question here in the concrete case due to the signature of the function modules, such a generic should only be offered if it is absolutely necessary. This is apparently not the case and the mentioned note corrects the code in such a way that the calls take place statically – thus are not exploitable.

Other corrections

The remaining notes could also be implemented without problems. Mention should be made of 3296328 (Denial of Service) and 3296346 (Multiple Vulnerabilities, including Cross-Site Scripting): here it is noticeable that the corrected code originates from ABAP Unit Test classes. Although these are typically not executed in production environments – development and test systems must also be secured!

Finally, the following applies: better safe than sorry!