Critical flaw fixed in SAP Business One product

Enterprise software giant SAP addressed a critical improper access control vulnerability in its Business One product.

SAP November 2023 Security Patch Day includes three new and three updated security notes. The most severe “hot news” is an improper access control vulnerability, tracked as CVE-2023-31403 (CVSS score of 9.6), that impacts SAP Business One product installation.

“SAP Business One installation – version 10.0, does not perform proper authentication and authorization checks for SMB shared folder.” reads the advisory. “As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.”

The second Hot News is an update to a Security Note released on September 2023 Patch Day, the issue tracked as CVE-2023-40309 (CVSS score 9.8) is a missing authorization check in SAP CommonCryptoLib

“SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.” reads the advisory. “Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.”

The remaining security notes address four medium-severity vulnerabilities. Below is the full list of issues addressed as part of the SAP Security Note #3355658.

SAP Note Type Description Priority CVSS
2494184 Update Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products BC-SYB-SQA Medium 6,3
3355658 New [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation SBO-CRO-SEC Hot News 9,6
3362849 New [CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CST-IC Medium 5,3
3366410 New [CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon BC-JAS-SEC Medium 5,3
3333426 Update [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) BC-JAS-ADM-MON Medium 6,5
3340576 Update [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib BC-IAM-SSO-CCL Hot News 9,8

At this time we are not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SAP)

The post Critical flaw fixed in SAP Business One product appeared first on Security Affairs.