Date of Release: February 13, 2024
Advisory ID: CVE-2024-25642
Affected Software: SAP Cloud Connector
Versions Affected: 2.15.0 to 2.16.1
Vulnerability Summary:
A critical vulnerability, identified as CVE-2024-25642, has been discovered in SAP Cloud Connector (SCC) due to improper certificate validation. This flaw allows an attacker to impersonate legitimate servers during interactions with SCC, undermining mutual authentication. Consequently, attackers can intercept requests to view or modify sensitive information. Notably, this vulnerability does not impact system availability.
CVSS Score: 7.4 (High)
CVSS Vector:
- Attack Vector (AV): Network
- Attack Complexity (AC): High
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged
- Confidentiality Impact (C): High
- Integrity Impact (I): High
- Availability Impact (A): None
Symptom:
The vulnerability allows attackers to bypass authentication mechanisms in SCC, posing a significant threat to the confidentiality and integrity of data processed by the Cloud Connector.
Cause:
This issue is a regression introduced in versions 2.15.0 through 2.16.1 of SAP Cloud Connector.
Solution:
The solution involves upgrading to SAP Cloud Connector version 2.16.2, which reintroduces the necessary validation checks. Users can download the updated version from https://tools.hana.ondemand.com/#cloud and should follow the upgrade instructions provided at https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/upgrade. Further details about the fixes and enhancements included in version 2.16.2 can be found at https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Connectivity.
Mitigation:
Until the upgrade can be performed, it is recommended to closely monitor network traffic for anomalies that could indicate attempts to exploit this vulnerability and to enforce strict access controls to minimize potential exposure.
Enhancements and Fixes in SAP Cloud Connector 2.16.2:
In addition to addressing the CVE-2024-25642 vulnerability, SAP has released several important enhancements and bug fixes in SAP Cloud Connector version 2.16.2, such as:
- Connectivity – Transparent Proxy for Kubernetes – Hotfix (Version 1.4.3): Fixes that prevent misconfiguration of the transparent proxy upon restart.
- Certificate-Based Authentication Fixes: Resolves authentication failures and configuration issues post-upgrade or LDAP setting changes.
- bgRFC Compatibility Mode and HTTPS Proxy Check: Ensures proper handling of RFC_PING invocations and corrects HTTPS proxy reachability checks.
- SAProuter String Support and High Availability Role Switching: Introduces support for SAProuter string configurations and a new
changeRole
script for high availability role management.
Disclaimer:
This advisory provides a comprehensive overview of the CVE-2024-25642 vulnerability and the enhancements introduced in SAP Cloud Connector version 2.16.2. The information is intended for informational purposes only and is not a substitute for detailed security assessments or measures that organizations should conduct based on their system configurations and operational environments.
For More Information:
For additional details and support, visit SAP’s official support page at https://support.sap.com/securitynotes and consult the FAQ section for guidance on addressing this vulnerability.
References:
- SAP Security Note [CVE-2024-25642]
- SAP Cloud Connector Version 2.16.2 release notes