CVE-2024-42380
📋 TL;DR
This vulnerability in SAP's RFC-enabled function module allows low-privileged users to read any user's workplace favorites and user menu data, including specific node details. It enables username enumeration and has low confidentiality impact. Affects SAP systems with the vulnerable RFC module.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map all usernames in the system and access sensitive menu/favorites data, potentially facilitating targeted attacks or social engineering.
Likely Case
Low-privileged users accessing other users' workplace favorites and menu configurations, enabling username enumeration.
If Mitigated
Limited impact with proper access controls and monitoring in place.
🎯 Exploit Status
Requires low-privileged user access; exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3488039 for specific patch information
Vendor Advisory: https://me.sap.com/notes/3488039
Restart Required: Yes
Instructions:
1. Review SAP Note 3488039. 2. Apply relevant SAP security patches. 3. Restart affected SAP systems. 4. Verify patch application.
🔧 Temporary Workarounds
Restrict RFC Access
allLimit access to vulnerable RFC function modules to authorized users only
Use transaction SM59 to review and restrict RFC destinations
Use transaction SU24 to maintain authorization objects
Authorization Controls
allImplement strict authorization checks for workplace favorites access
Review and update authorization profiles using transaction PFCG
Implement custom authorization checks in affected function modules
🧯 If You Can't Patch
- Implement network segmentation to isolate SAP systems from untrusted networks
- Enable detailed logging for RFC function module access and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if system has unpatched RFC function modules for workplace favorites; review SAP Note 3488039 for specific vulnerable componentsCheck Version:
Use transaction SM51 or SM50 to check SAP kernel and system versionVerify Fix Applied:
Verify patch application through SAP system information and confirm no unauthorized access to workplace favorites📡 Detection & Monitoring
Log Indicators:
- Unusual RFC calls to workplace favorites function modules
- Multiple failed authorization attempts for user data access
- Access patterns showing enumeration of multiple user favorites
Network Indicators:
- RFC traffic to vulnerable function modules from unauthorized sources
- Unusual volume of RFC requests for user data
SIEM Query:
source="sap*" AND ("workplace favorites" OR "user menu" OR "RFC function module") AND (action="read" OR action="access")