CVE-2024-45283
📋 TL;DR
CVE-2024-45283 is an information disclosure vulnerability in SAP NetWeaver AS for Java that allows authorized attackers to obtain usernames and passwords when creating RFC destinations. This affects organizations running vulnerable SAP NetWeaver installations, potentially exposing credentials that could be used for further attacks. The attacker can read sensitive information but cannot modify or delete data.
💻 Affected Systems
- SAP NetWeaver Application Server for Java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials leading to full system compromise, lateral movement within the SAP landscape, and potential data exfiltration.
Likely Case
Attackers obtain standard user credentials enabling unauthorized access to sensitive business data and systems within the SAP environment.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring preventing credential misuse.
🎯 Exploit Status
Exploitation requires authorized access to create RFC destinations. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3477359
Vendor Advisory: https://me.sap.com/notes/3477359
Restart Required: Yes
Instructions:
1. Download SAP Note 3477359 from SAP Support Portal. 2. Apply the security patch to affected SAP NetWeaver AS Java systems. 3. Restart the application server. 4. Verify the patch is correctly applied.
🔧 Temporary Workarounds
Restrict RFC Destination Creation
allLimit user permissions to create RFC destinations to only necessary administrative users
Use SAP transaction SU01 to modify user authorizations and remove S_RFCACL authorization
Network Segmentation
allIsolate SAP systems from untrusted networks and implement strict access controls
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for all SAP users
- Enable comprehensive logging and monitoring for RFC destination creation activities
🔍 How to Verify
Check if Vulnerable:
Check if SAP Security Note 3477359 is applied using transaction SNOTE or check system version against affected versions in SAP advisoryCheck Version:
Execute transaction SM51 to view system information or check SAP kernel versionVerify Fix Applied:
Verify SAP Note 3477359 is successfully implemented and no longer shows as missing in SNOTE transaction📡 Detection & Monitoring
Log Indicators:
- Unusual RFC destination creation activities
- Multiple failed authentication attempts following RFC creation
- User activities outside normal business hours
Network Indicators:
- Unusual outbound connections from SAP systems
- Traffic patterns indicating credential harvesting
SIEM Query:
source="sap_audit_log" AND (event="RFC_DESTINATION_CREATE" OR event="RFC_CONNECTION") AND user NOT IN ["authorized_users"]