Descriptive Alt Text

Critical Vulnerability identified in SAP BusinessObjects

October 14, 2024 Reading Time: 3 minutes

A critical security vulnerability, identified as CVE-2024-41730 has been disclosed in SAP’s BusinessObjects Business Intelligence (BI) Platform. This vulnerability allows attackers to bypass authentication when Single Sign-On (SSO) is enabled for Enterprise authentication, enabling unauthorised access to the platform through a REST endpoint. With a CVSS score of 9.8, this vulnerability is rated as critical, posing a significant threat to affected organisations due to its potential to compromise the confidentiality, integrity, and availability of their systems. SAP has issued a security advisory with mitigation recommendations, which should be implemented as a priority by all affected users.

Details of the Vulnerability

The vulnerability exists in the SAP BusinessObjects BI Platform, specifically affecting versions ENTERPRISE 430 and 440. If Single Sign-On (SSO) is enabled on Enterprise authentication, an attacker could exploit a REST API endpoint to acquire a logon token without proper authorisation. This bypass enables the attacker to gain unauthorised access to the system and take complete control of it, potentially resulting in data breaches, tampering of information, and denial of service attacks.

Impact Analysis

This vulnerability stems from CWE-862: Missing Authorisation, where the system does not sufficiently enforce permissions, leading to unauthorised access. Given the critical nature of this issue, organisations utilising the affected versions of SAP BusinessObjects BI are highly vulnerable to exploitation, which could have disastrous effects such as:

  • Loss of Confidentiality: Unauthorised access to sensitive data and reports.
  • Integrity Issues: Tampering or modification of critical business intelligence data.
  • Availability Impact: Disruption of services, potentially causing downtime.

Although the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog and is not known to be actively exploited by ransomware operators, the risk remains high. Immediate action is advised to mitigate potential threats.

Mitigation and Recommendations

Organisations using SAP BusinessObjects BI Platform (versions ENTERPRISE 430 and 440) should review the latest security notes and install the relevant patches released by SAP to address this critical issue. You can access the release notes and download the necessary updates via the SAP support portal (SAP account login required): SAP Security Advisory August 2024.

Additional Recommendations:

  • Disable Single Sign-On (SSO) if not required, until the patch is applied.
  • Conduct a thorough review of access controls to ensure that unauthorised users cannot exploit this vulnerability.
  • Monitor system logs for any unusual or unauthorised login attempts.

The CVE-2024-41730 vulnerability poses a critical risk to organisations using the affected versions of SAP BusinessObjects BI Platform. With its high severity score, rapid mitigation is essential to prevent system compromise. Organisations should prioritise applying SAP’s security patches and follow best practices for securing their systems against potential exploitation.

For tailored solutions to safeguard your business from cybersecurity threats, contact our team today .

Fill out the form below to get started, and let our experts help you enhance your cybersecurity posture. 👇

Recent Posts

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818
Email
info@secoraconsulting.com

To learn more about your data and privacy rights, visit our Privacy Statement.