CVE-2024-44112
📋 TL;DR
This vulnerability in SAP for Oil & Gas (Transportation and Distribution) allows authenticated non-administrative users to delete non-sensitive entries from a user data table due to missing authorization checks. It affects confidentiality and availability but could disrupt operations by removing legitimate data entries. Organizations using affected SAP modules are impacted.
💻 Affected Systems
- SAP for Oil & Gas (Transportation and Distribution)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could systematically delete user data table entries, causing operational disruption, data loss, and potential compliance issues in oil and gas transportation systems.
Likely Case
Malicious insiders or compromised accounts delete specific entries to disrupt workflows or hide activities, requiring manual restoration and investigation.
If Mitigated
With proper access controls and monitoring, impact is limited to minor data cleanup and audit trail review.
🎯 Exploit Status
Exploitation requires knowledge of specific remote-enabled function and user authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3505293
Vendor Advisory: https://me.sap.com/notes/3505293
Restart Required: Yes
Instructions:
1. Download SAP Note 3505293 from SAP Support Portal. 2. Apply the correction instructions in the note. 3. Restart affected SAP systems. 4. Verify the fix by testing the vulnerable function.
🔧 Temporary Workarounds
Restrict Function Module Access
allTemporarily restrict access to the vulnerable remote-enabled function module using authorization objects.
Use transaction SU24 to adjust authorization checks for the affected function module
Enhanced Monitoring
allImplement monitoring for deletion activities in user data tables.
Configure SAP audit logging for table deletion activities (transaction SM19/20)
🧯 If You Can't Patch
- Implement strict principle of least privilege for all user accounts
- Enable detailed audit logging for all table modification activities and review regularly
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3505293 is applied using transaction SNOTE or check system version against affected versions in the note.Check Version:
Use transaction SM51 to check SAP system version and applied notesVerify Fix Applied:
Test the vulnerable function with a non-administrative user account; it should now return authorization error instead of allowing deletion.📡 Detection & Monitoring
Log Indicators:
- Unusual deletion activities in user data tables
- Multiple failed authorization checks followed by successful deletions
Network Indicators:
- Increased RFC calls to specific function modules from non-admin users
SIEM Query:
source="sap_audit_log" AND (event_type="table_deletion" OR function_module="[vulnerable_function]")