CVE-2023-36925 – CVE-2023-36925 is a server-side request forgery... (How to Fix)

Q: What is the severity of CVE-2023-36925?

CVE-2023-36925 has a CVSS score of 7.2 (HIGH). CVE-2023-36925 is a server-side request forgery (SSRF) vulnerability in SAP Solution Manager Diagnostics Agent version 7.20 that allows unauthenticated attackers to execute HTTP requests through the application. This enables attackers to reach internal systems that the Diagnostics Agent can access, potentially affecting confidentiality and availability. Organizations running vulnerable SAP Solution Manager installations are affected.

📋 TL;DR

CVE-2023-36925 is a server-side request forgery (SSRF) vulnerability in SAP Solution Manager Diagnostics Agent version 7.20 that allows unauthenticated attackers to execute HTTP requests through the application. This enables attackers to reach internal systems that the Diagnostics Agent can access, potentially affecting confidentiality and availability. Organizations running vulnerable SAP Solution Manager installations are affected.

💻 Affected Systems

Products:

SAP Solution Manager (Diagnostics agent)

Versions: Version 7.20

Operating Systems: All platforms running SAP Solution Manager

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Diagnostics Agent component of SAP Solution Manager 7.20; other versions may be affected but not documented.

📦 What is this software?

Solution Manager by Sap

View all CVEs affecting Solution Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker could use the Diagnostics Agent as a proxy to attack internal systems, potentially accessing sensitive data or disrupting services on reachable internal networks.

🟠

Likely Case

Limited information disclosure from internal systems or denial of service against reachable applications through HTTP request flooding.

🟢

If Mitigated

Minimal impact if network segmentation prevents the Diagnostics Agent from reaching sensitive internal systems.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances particularly vulnerable to scanning and automated attacks.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk depends on internal network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities typically have low exploitation complexity; unauthenticated access makes this particularly easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3352058

Vendor Advisory: https://me.sap.com/notes/3352058

Restart Required: Yes

Instructions:

1. Download and apply SAP Note 3352058 from SAP Support Portal. 2. Restart the Diagnostics Agent service. 3. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to the Diagnostics Agent to prevent it from reaching sensitive internal systems

Access Control

all

Implement network-level authentication or IP whitelisting for Diagnostics Agent endpoints

🧯 If You Can't Patch

Isolate the Diagnostics Agent in a restricted network segment with minimal access to other systems
Implement web application firewall rules to block suspicious HTTP request patterns to the Diagnostics Agent

🔍 How to Verify

Check if Vulnerable:

Check if SAP Solution Manager Diagnostics Agent version 7.20 is installed and running without SAP Note 3352058 applied

Check Version:

Check SAP system version through transaction code SM51 or system information

Verify Fix Applied:

Verify SAP Note 3352058 is applied in SAP system and test that SSRF attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests originating from Diagnostics Agent to internal systems
Multiple failed authentication attempts or unusual request patterns

Network Indicators:

HTTP traffic from Diagnostics Agent to unexpected internal destinations
Outbound requests from Diagnostics Agent to internal services it shouldn't access

SIEM Query:

source="sap_diagnostics_agent" AND (dest_ip IN sensitive_subnets OR http_method="POST/PUT/DELETE" FROM unexpected_sources)

📊 Metadata

CVE ID: CVE-2023-36925

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE: CWE-918

Published: July 11, 2023

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3352058 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://me.sap.com/notes/3352058 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36925, you might also want to check these: