CVE-2024-44117
📋 TL;DR
This CVE allows low-privileged users in SAP systems to modify other users' favorite node URLs and workbook IDs through an RFC-enabled function module. It affects SAP applications with vulnerable RFC modules, primarily impacting data integrity with limited availability consequences.
💻 Affected Systems
- SAP applications with vulnerable RFC function modules
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could redirect users to malicious sites through modified URLs, potentially leading to credential theft or malware installation, or disrupt business processes by altering workbook configurations.
Likely Case
Low-privileged users modifying colleagues' favorites to cause confusion or minor disruptions, or redirecting users to inappropriate/internal sites.
If Mitigated
With proper authorization controls and monitoring, impact is limited to minor configuration changes that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access; specific function module details are in SAP Note 3488039.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3488039 for specific patch information
Vendor Advisory: https://me.sap.com/notes/3488039
Restart Required: Yes
Instructions:
1. Review SAP Note 3488039. 2. Apply the relevant SAP Security Patch Day updates. 3. Restart affected SAP systems. 4. Verify the fix by testing the vulnerable function module.
🔧 Temporary Workarounds
Restrict RFC Function Module Access
allLimit access to the vulnerable RFC function module using SAP authorization objects.
Use transaction SU24 to adjust authorization checks for the affected function module
Monitor RFC Calls
allImplement monitoring for unauthorized modifications to user favorites and workbook IDs.
Configure SAP audit logging for relevant function modules and user table changes
🧯 If You Can't Patch
- Implement strict authorization controls to limit which users can execute the vulnerable RFC function module.
- Enable detailed logging and monitoring for modifications to user favorites and workbook configurations.
🔍 How to Verify
Check if Vulnerable:
Check if your SAP system has the vulnerable RFC function module enabled and accessible to low-privileged users.Check Version:
Use SAP transaction SM51 or check system info for patch levels referenced in SAP Note 3488039.Verify Fix Applied:
After patching, verify that low-privileged users can no longer modify other users' favorite nodes and workbook IDs through the RFC module.📡 Detection & Monitoring
Log Indicators:
- Unauthorized RFC calls to function modules modifying user favorites
- Unexpected changes to user favorite URLs or workbook IDs
Network Indicators:
- RFC traffic patterns showing unusual modifications to user configuration data
SIEM Query:
source="sap_audit_log" AND (event_type="RFC_CALL" AND function_module="[vulnerable_module]" AND user_privilege="LOW")