CVE-2022-24396 – CVE-2022-24396 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2022-24396?

CVE-2022-24396 has a CVSS score of 7.8 (HIGH). CVE-2022-24396 is an authentication bypass vulnerability in SAP FRUN Simple Diagnostics Agent versions 1.0 through 1.57. Attackers can access administrative functions via localhost on port 3005 without authentication, allowing them to read, modify, or delete sensitive information and configurations. Organizations using affected versions of this SAP diagnostic tool are vulnerable.

📋 TL;DR

CVE-2022-24396 is an authentication bypass vulnerability in SAP FRUN Simple Diagnostics Agent versions 1.0 through 1.57. Attackers can access administrative functions via localhost on port 3005 without authentication, allowing them to read, modify, or delete sensitive information and configurations. Organizations using affected versions of this SAP diagnostic tool are vulnerable.

💻 Affected Systems

Products:

SAP FRUN Simple Diagnostics Agent

Versions: 1.0 through 1.57

Operating Systems: All supported OS where SAP FRUN Simple Diagnostics Agent runs

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration and requires no special configuration to be exploitable.

📦 What is this software?

Simple Diagnostics Agent by Sap

View all CVEs affecting Simple Diagnostics Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system through administrative access, allowing data theft, configuration manipulation, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive diagnostic data, configuration files, and system information that could be used for reconnaissance or further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent localhost access from unauthorized users.

🌐 Internet-Facing: LOW - The vulnerability requires localhost access, making internet-facing systems less vulnerable unless combined with other attack vectors.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability to gain administrative access to affected hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward via HTTP requests to localhost:3005 without authentication. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.58 and later

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3145987

Restart Required: Yes

Instructions:

1. Download SAP Note 3145987. 2. Apply the patch to upgrade to version 1.58 or later. 3. Restart the Simple Diagnostics Agent service.

🔧 Temporary Workarounds

Block localhost port 3005

all

Use firewall rules to block access to port 3005 from unauthorized processes

# Linux: sudo iptables -A INPUT -p tcp --dport 3005 -j DROP
# Windows: New-NetFirewallRule -DisplayName "Block SAP Diagnostics Port" -Direction Inbound -LocalPort 3005 -Protocol TCP -Action Block

Disable Simple Diagnostics Agent

all

Stop and disable the vulnerable service if not required

# Linux: sudo systemctl stop sap-simple-diagnostics-agent && sudo systemctl disable sap-simple-diagnostics-agent
# Windows: Stop-Service "SAP Simple Diagnostics Agent" && Set-Service "SAP Simple Diagnostics Agent" -StartupType Disabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running the vulnerable agent
Apply host-based firewall rules to restrict access to port 3005 to only trusted processes

🔍 How to Verify

Check if Vulnerable:

Check if Simple Diagnostics Agent version is between 1.0 and 1.57 and if port 3005 is listening on localhost

Check Version:

# Check version in agent configuration or via service status

Verify Fix Applied:

Verify version is 1.58 or later and test that authentication is required for administrative functions on port 3005

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to port 3005
Authentication failure logs for Simple Diagnostics Agent

Network Indicators:

Unexpected traffic to localhost:3005
HTTP requests to administrative endpoints without authentication headers

SIEM Query:

source="sap_diagnostics.log" AND (event="authentication_failure" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2022-24396

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: March 10, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167560/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jun/38 Exploit,Mailing List,Third Party Advisory
https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3145987 Permissions Required,Vendor Advisory
http://packetstormsecurity.com/files/167560/SAP-FRUN-Simple-Diagnostics-Agent-1.0-Missing-Authentication.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jun/38 Exploit,Mailing List,Third Party Advisory
https://dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htm?rc=10 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3145987 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24396, you might also want to check these: