CVE-2023-37490 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-37490?

CVE-2023-37490 has a CVSS score of 7.6 (HIGH). This vulnerability allows authenticated attackers within the network to replace temporary executable files during SAP Business Objects installation with malicious files. This can lead to complete system compromise affecting confidentiality, integrity, and availability. Only SAP Business Objects Installer versions 420 and 430 are affected.

📋 TL;DR

This vulnerability allows authenticated attackers within the network to replace temporary executable files during SAP Business Objects installation with malicious files. This can lead to complete system compromise affecting confidentiality, integrity, and availability. Only SAP Business Objects Installer versions 420 and 430 are affected.

💻 Affected Systems

Products:

SAP Business Objects Installer

Versions: 420, 430

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have authenticated access to the network where installation is occurring and ability to write to temporary directories.

📦 What is this software?

Businessobjects Business Intelligence by Sap

View all CVEs affecting Businessobjects Business Intelligence →

Businessobjects Business Intelligence by Sap

View all CVEs affecting Businessobjects Business Intelligence →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary code with installation privileges, potentially leading to full domain takeover, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive business data, installation of malware, or disruption of business operations.

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls preventing authenticated attackers from reaching installation directories.

🌐 Internet-Facing: LOW - Requires authenticated network access and ability to interact with installation process.

🏢 Internal Only: HIGH - Exploitable by any authenticated internal user with access to the installation environment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires timing attack during installation process and authenticated network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3317710

Vendor Advisory: https://me.sap.com/notes/3317710

Restart Required: Yes

Instructions:

1. Download SAP Security Note 3317710 from SAP Support Portal. 2. Apply the patch to affected SAP Business Objects Installer installations. 3. Restart affected systems. 4. Verify installation using version check.

🔧 Temporary Workarounds

Restrict temporary directory permissions

all

Set strict permissions on temporary directories used during installation to prevent unauthorized file writes.

Windows: icacls "C:\Temp\SAP_Install" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
Linux: chmod 700 /tmp/sap_install && chown root:root /tmp/sap_install

Network segmentation

all

Isolate installation environments from general user networks to limit attack surface.

🧯 If You Can't Patch

Implement strict access controls limiting who can perform installations and access installation directories.
Monitor temporary directory file creation and modification during installation processes for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check SAP Business Objects Installer version - if version 420 or 430, system is vulnerable.

Check Version:

Windows: Check SAP Business Objects program properties or installation logs. Linux: Check installation directory version files or use rpm -qa | grep -i sap-business-objects

Verify Fix Applied:

Verify SAP Security Note 3317710 is applied and version is updated beyond vulnerable versions.

📡 Detection & Monitoring

Log Indicators:

Unexpected file modifications in temporary directories during installation
Multiple failed installation attempts
Unauthorized user accessing installation directories

Network Indicators:

Unusual network traffic from installation servers during non-maintenance windows
Connections to suspicious external IPs from installation systems

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName contains 'temp' AND ProcessName contains 'sap' OR 'businessobjects'

📊 Metadata

CVE ID: CVE-2023-37490

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-427

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3317710 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://me.sap.com/notes/3317710 Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37490, you might also want to check these: