CVE-2024-42371
📋 TL;DR
This CVE allows low-privileged users to delete workplace favorites of any user in SAP systems, potentially exposing usernames and workplace/node information. It affects SAP systems with the vulnerable RFC-enabled function module. The impact is primarily on confidentiality with low integrity/availability effects.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map organizational structure, identify high-value targets, and gather reconnaissance data for further attacks by analyzing workplace favorites patterns.
Likely Case
Low-privileged users deleting colleagues' workplace favorites, causing minor productivity disruption and exposing some user information.
If Mitigated
Limited to authorized users with legitimate business needs for the function module, with proper logging and monitoring in place.
🎯 Exploit Status
Requires low-privileged SAP user credentials; exploitation is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3488039 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3488039
Restart Required: No
Instructions:
1. Apply SAP Security Note 3488039 via SAP Note Assistant. 2. Implement the correction instructions. 3. Verify the fix in development before production deployment.
🔧 Temporary Workarounds
Restrict RFC Function Module Access
allLimit access to the vulnerable RFC-enabled function module using SAP authorization objects
Use transaction SU24 to maintain authorization objects for the affected function module
Implement User Activity Monitoring
allMonitor and alert on suspicious deletion of workplace favorites
Configure SAP Security Audit Log (SM19) to log relevant activities
🧯 If You Can't Patch
- Implement strict authorization controls to limit access to the vulnerable function module
- Enable detailed logging and monitoring for workplace favorites deletion activities
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3488039 is applied using transaction SNOTE or check component versions against affected list in the noteCheck Version:
Use transaction SM51 to check SAP kernel and component versionsVerify Fix Applied:
Verify SAP Note 3488039 implementation status and test that low-privileged users cannot delete other users' workplace favorites📡 Detection & Monitoring
Log Indicators:
- Multiple workplace favorites deletion events from single user
- Cross-user favorites deletion patterns
- Unusual RFC function module calls
Network Indicators:
- Unusual RFC traffic patterns to the vulnerable function module
SIEM Query:
source="sap_audit_log" AND (event="workplace_favorites_delete" OR function_module="[vulnerable_module]")