Detections
Analytics

SAP NetWeaver AS ABAP Multiple Vulnerabilities (3488039)

medium Nessus Plugin ID 207241

Synopsis

The remote SAP NetWeaver ABAP server may be affected by multiple vulnerabilities.

Description

Multiple vulnerabilities may be present in SAP NetWeaver Application Server ABAP, including the following:

 - The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces and nodes.There is low impact on integrity and availability of the application. (CVE-2024-42371)

 - The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user's favourite nodes and workbook ID.There is low impact on integrity and availability of the application. (CVE-2024-44117)

 - The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific targeted user will no longer have access to any functionality of SAP GUI. There is low impact on integrity and availability of the application. (CVE-2024-45285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

https://me.sap.com/notes/3488039

http://www.nessus.org/u?0cdff1da

Plugin Details

Severity: Medium

ID: 207241

File Name: sap_netweaver_as_abap_3488039.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 9/13/2024

Updated: 9/16/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS Score Source: CVE-2024-42371

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-45285

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: Settings/ParanoidReport, installed_sw/SAP Netweaver Application Server (AS)

Exploit Ease: No known exploits are available

Patch Publication Date: 9/10/2024

Vulnerability Publication Date: 9/10/2024

Reference Information

CVE: CVE-2024-42371, CVE-2024-42380, CVE-2024-44115, CVE-2024-44116, CVE-2024-44117, CVE-2024-45285

IAVA: 2024-A-0551