Successful exploitation could lead to full system compromise

Threat ID:CC-4536

Threat Severity:Medium

Published:14 August 2024 12:59 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: ENTERPRISE 420, ENTERPRISE 430, ENTERPRISE 440

SAP BusinessObjects Business Intelligence Platform

Threat details

Proof-of-concept released for CVE-2024-41730

A proof-of-concept has been released for CVE-2024-41730 and NHS England National CSOC now considers exploitation of this vulnerability to be more likely.

Introduction

SAP has released a security update for a missing authentication check vulnerability in BusinessObjects Business Intelligence Platform. The vulnerability, CVE-2024-41730, has a CVSSv3 score of 9.8 and could allow a remote unauthenticated attacker to obtain a logon token using a REST endpoint if Single Sign-On is enabled, potentially leading to full compromise of the system.

Threat updates


19 Nov 2024	Public proof-of-concept released.
8 Oct 2024	Update to previously released Security Note On 8 October 2024, SAP Security Patch Day saw the release of 6 new Security Notes. Further, there were 6 updates to previously released Security Notes, including an additional affected version of SAP BusinessObjects Business Intelligence Platform. ENTERPRISE 420 has been added to the previously mentioned ENTERPRISE 430 and ENTERPRISE 440.

Remediation advice

Affected organisations are encouraged to review the SAP August 2024 Security Notes, SAP October 2024 Security Notes, and apply any relevant updates.

Definitive source of threat updates

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html

CVE Vulnerabilities

StatusPublished

CVE-2024-41730In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.

Last edited: 19 November 2024 4:03 pm