CVE-2023-32113
📋 TL;DR
This vulnerability in SAP GUI for Windows allows attackers to steal NTLM authentication credentials by tricking users into clicking malicious shortcut files. Attackers can then use these credentials to access and potentially modify sensitive data. Affected users are those running vulnerable SAP GUI versions on Windows systems.
💻 Affected Systems
- SAP GUI for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full domain compromise if victim has domain admin privileges, allowing attackers to access all domain resources and sensitive data.
Likely Case
Unauthorized access to SAP systems and data, potentially leading to data theft, modification, or business disruption.
If Mitigated
Limited impact with proper network segmentation, least privilege, and monitoring in place.
🎯 Exploit Status
Exploitation requires social engineering to trick users into clicking malicious shortcuts. No authentication needed to initiate attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3320467
Vendor Advisory: https://launchpad.support.sap.com/#/notes/3320467
Restart Required: Yes
Instructions:
1. Download patch from SAP Support Portal. 2. Apply to all affected SAP GUI installations. 3. Restart systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Disable automatic shortcut resolution
windowsPrevents automatic resolution of shortcut files that could trigger NTLM authentication.
Registry modification: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation = 1
Network segmentation
allRestrict NTLM traffic to prevent credential harvesting across network segments.
🧯 If You Can't Patch
- Implement strict user training against clicking unknown shortcuts or files
- Deploy application whitelisting to prevent execution of unauthorized shortcut files
🔍 How to Verify
Check if Vulnerable:
Check SAP GUI version via Help > About. If version is 7.70 or 8.0, system is vulnerable.Check Version:
In SAP GUI: Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\SAP\SAPGUI\VersionVerify Fix Applied:
Verify SAP Security Note 3320467 is applied in SAP GUI version information.📡 Detection & Monitoring
Log Indicators:
- Unexpected NTLM authentication attempts from SAP GUI processes
- Multiple failed authentication attempts following shortcut file access
Network Indicators:
- Unusual NTLM traffic patterns from SAP GUI clients
- SMB authentication requests to unexpected destinations
SIEM Query:
source="windows-security" EventID=4625 AND ProcessName="*sapgui*" AND AuthenticationPackage="NTLM"