SAP Security Note

3420923 - [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application

Basis)
Component: CA-SUR (Web Survey), Version: 13, Released On: 13.02.2024

Symptom
An attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the
attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted
to perform. Depending on the function executed, the attacker can read or modify any user/business data and can make the
entire system unavailable.

Other Terms
Command Injection, OS command injection, CVE-2024-22131

Reason and Prerequisites

The vulnerable part of CA-SUR, which is used by the remote capability of "Web Survey", can be secured with strict settings for
authorization object S_RFC.
This correction provides additional measures which does not rely on securing the scenario via S_RFC alone.

Solution
Implement Support Package or correction instructions.
The solution implements a secure-by-default configuration.
Therefore, you have to adjust the configuration if you in fact are using the remote capability of the component.
See related note 3415038 for details and recommendations on how to update the configuration.
Workaround
Please assess the workaround applicability for your SAP landscape prior to implementation.
Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the
corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is
implemented.
Review your settings regarding authorization object S_RFC and do not allow calls to function modules of CA-SUR remotely.
Keep in mind that this workaround would disable the remote capability of the component.

CVSS
CVSS Score : 9.1
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV) Network (N)

Attack Complexity (AC) Low (L)

Privileges Required (PR) High (H)

User Interaction (UI) None (N)

Scope (S) Changed (C)

Confidentiality Impact (C) High (H)

Integrity Impact (I) High (H)

Availability Impact (A) High (H)

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does
not take into account your own system configuration or operational environment. It is not intended to replace any risk
assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more
information, see the FAQ section at https://support.sap.com/securitynotes .

Software Components
Software Component From To And subsequent

SAP_ABA 700 702

SAP_ABA 731 731

SAP_ABA 740 740

SAP_ABA 750 752

SAP_ABA 75C 75I

Correction Instructions
Software Component Number of Correction Instructions

SAP_ABA 3

Prerequisites
Software Component From To SAP Note/KBA Title Component

SAP_ABA 700 710 1110803 SURVEY: BAdI for authorization check CA-SUR

SAP_ABA 700 711 1354949 Survey: Adding new questions to answered surveys CA-SUR

Support Package
Software Component Version Support Package

SAP_ABA 700 SAPKA70042

SAP_ABA 701 SAPKA70127

SAP_ABA 702 SAPKA70227

SAP_ABA 731 SAPKA73134

SAP_ABA 740 SAPKA74031

SAP_ABA 750 SAPK-75029INSAPABA

SAP_ABA 751 SAPK-75118INSAPABA

SAP_ABA 752 SAPK-75214INSAPABA

SAP_ABA 75C SAPK-75C14INSAPABA

SAP_ABA 75D SAPK-75D12INSAPABA

SAP_ABA 75E SAPK-75E10INSAPABA

SAP_ABA 75F SAPK-75F08INSAPABA

SAP_ABA 75G SAPK-75G06INSAPABA

SAP_ABA 75H SAPK-75H04INSAPABA

SAP_ABA 75I SAPK-75I02INSAPABA

 This document refers to
SAP Note/KBA Component Title

3415038