CVE-2022-31591 – CVE-2022-31591 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2022-31591?

CVE-2022-31591 has a CVSS score of 7.8 (HIGH). CVE-2022-31591 is an unquoted service path vulnerability in SAP BusinessObjects BW Publisher Service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to gain SYSTEM-level access. This affects SAP BusinessObjects BW Publisher Service versions 420 and 430.

📋 TL;DR

CVE-2022-31591 is an unquoted service path vulnerability in SAP BusinessObjects BW Publisher Service that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to gain SYSTEM-level access. This affects SAP BusinessObjects BW Publisher Service versions 420 and 430.

💻 Affected Systems

Products:

SAP BusinessObjects BW Publisher Service

Versions: 420, 430

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations where the service path contains spaces and is unquoted.

📦 What is this software?

Businessobjects Bw Publisher Service by Sap

View all CVEs affecting Businessobjects Bw Publisher Service →

Businessobjects Bw Publisher Service by Sap

View all CVEs affecting Businessobjects Bw Publisher Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, lateral movement, and persistence.

🟠

Likely Case

Local authenticated user escalates privileges to SYSTEM, potentially installing malware, accessing sensitive data, or disrupting services.

🟢

If Mitigated

With proper access controls and monitoring, impact limited to isolated service disruption or detection of unauthorized privilege escalation attempts.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers (including malicious insiders or compromised accounts) can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access and ability to write to service path directories. Classic unquoted service path exploitation technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3167430

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3167430

Restart Required: Yes

Instructions:

1. Download and apply SAP Security Note 3167430. 2. Restart the SAP BusinessObjects BW Publisher Service. 3. Verify the service path is properly quoted in Windows Service configuration.

🔧 Temporary Workarounds

Manually Quote Service Path

windows

Manually edit the service path in Windows Services to add quotes around the executable path

sc config "SAP BusinessObjects BW Publisher Service" binPath="\"C:\Program Files\SAP\...\executable.exe\""

Restrict Write Permissions

windows

Remove write permissions for non-administrative users on directories in the service path

icacls "C:\Program Files\SAP\BusinessObjects\" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Implement strict access controls to prevent local users from writing to service path directories
Monitor for unauthorized service modifications and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if SAP BusinessObjects BW Publisher Service path contains spaces and is unquoted in Windows Services (services.msc)

Check Version:

Check SAP BusinessObjects version through Central Management Console or review installation logs

Verify Fix Applied:

Verify service path is properly quoted in Windows Services and confirm SAP Security Note 3167430 is applied

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Service control manager events (7036, 7040), unauthorized service modifications
SAP Audit Logs: Unusual service restarts or configuration changes

Network Indicators:

Unusual outbound connections from SAP BusinessObjects service
Lateral movement attempts from SAP server

SIEM Query:

EventID=7045 OR EventID=4697 AND ServiceName="SAP BusinessObjects BW Publisher Service"

📊 Metadata

CVE ID: CVE-2022-31591

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: July 12, 2022

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/3167430 Permissions Required,Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://launchpad.support.sap.com/#/notes/3167430 Permissions Required,Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31591, you might also want to check these: