Skip links

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024

Advisory ID: CVE-2024-25642

Affected Software: SAP Cloud Connector

Versions Affected: 2.15.0 to 2.16.1

Vulnerability Summary:
A critical vulnerability, identified as CVE-2024-25642, has been discovered in SAP Cloud Connector (SCC) due to improper certificate validation. This flaw allows an attacker to impersonate legitimate servers during interactions with SCC, undermining mutual authentication. Consequently, attackers can intercept requests to view or modify sensitive information. Notably, this vulnerability does not impact system availability.

CVSS Score: 7.4 (High)

CVSS Vector:

  • Attack Vector (AV): Network
  • Attack Complexity (AC): High
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Unchanged
  • Confidentiality Impact (C): High
  • Integrity Impact (I): High
  • Availability Impact (A): None

Symptom:
The vulnerability allows attackers to bypass authentication mechanisms in SCC, posing a significant threat to the confidentiality and integrity of data processed by the Cloud Connector.

Cause:
This issue is a regression introduced in versions 2.15.0 through 2.16.1 of SAP Cloud Connector.

Solution:
The solution involves upgrading to SAP Cloud Connector version 2.16.2, which reintroduces the necessary validation checks. Users can download the updated version from https://tools.hana.ondemand.com/#cloud and should follow the upgrade instructions provided at https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/upgrade. Further details about the fixes and enhancements included in version 2.16.2 can be found at https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Connectivity.

Mitigation:
Until the upgrade can be performed, it is recommended to closely monitor network traffic for anomalies that could indicate attempts to exploit this vulnerability and to enforce strict access controls to minimize potential exposure.

Enhancements and Fixes in SAP Cloud Connector 2.16.2:
In addition to addressing the CVE-2024-25642 vulnerability, SAP has released several important enhancements and bug fixes in SAP Cloud Connector version 2.16.2, such as:

  • Connectivity – Transparent Proxy for Kubernetes – Hotfix (Version 1.4.3): Fixes that prevent misconfiguration of the transparent proxy upon restart.
  • Certificate-Based Authentication Fixes: Resolves authentication failures and configuration issues post-upgrade or LDAP setting changes.
  • bgRFC Compatibility Mode and HTTPS Proxy Check: Ensures proper handling of RFC_PING invocations and corrects HTTPS proxy reachability checks.
  • SAProuter String Support and High Availability Role Switching: Introduces support for SAProuter string configurations and a new changeRole script for high availability role management.

Disclaimer:
This advisory provides a comprehensive overview of the CVE-2024-25642 vulnerability and the enhancements introduced in SAP Cloud Connector version 2.16.2. The information is intended for informational purposes only and is not a substitute for detailed security assessments or measures that organizations should conduct based on their system configurations and operational environments.

For More Information:
For additional details and support, visit SAP’s official support page at https://support.sap.com/securitynotes and consult the FAQ section for guidance on addressing this vulnerability.

References:

  • SAP Security Note [CVE-2024-25642]
  • SAP Cloud Connector Version 2.16.2 release notes

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

SAP Hash Cracking Techniques

Understanding Hash Cracking Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive

SAP Security Patch Day – September 2024

As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.