CVE-2022-28214: SAP BusinessObjects Enterprise (CMS) Authentication Credentials Exposure in Sysmon Event Logs

On May 10th, 2022, a major vulnerability was found in SAP BusinessObjects Enterprise (SAP BOE) Central Management Server (CMS) versions 420 and 430. This vulnerability, tracked as CVE-2022-28214, allows unauthorized users to gain access to sensitive information such as authentication credentials from Sysmon event logs. In this blog post, we will discuss the nature of this vulnerability, potential exploits, and steps to mitigate the threat.

Vulnerability Details

During the update process of SAP BOE CMS, authentication credentials required to access the server are exposed in Sysmon event logs. Sysmon is a Windows system monitoring and logging tool that can provide valuable information to system administrators and security analysts. However, due to this vulnerability, the authentication credentials are being exposed to unauthorized users in clear text, which can lead to a serious security breach.

This Information Disclosure vulnerability could have a high impact on the Confidentiality, Integrity, and Availability of SAP BOE systems. This is rated as a CVSS v3.1 base score of 7.5 (High), considering the potential consequences of unauthorized access to critical applications and the unauthorized use of sensitive data.

Exploit Details

To demonstrate the vulnerability, let's assume a malicious user, who already has access to the Sysmon logs, is able to exploit the disclosed authentication credentials. The following code snippet shows how the exposed credentials can be extracted from the log file:

import re

# Read Sysmon log file
with open("Sysmon_log.txt", "r") as log_file:
    log_data = log_file.read()

# Regex pattern to search for authentication credentials
pattern = r"Auth_Creds:\s+'([^']+)'\s+'([^']+)'"

# Extracting credentials
creds = re.findall(pattern, log_data)
for username, password in creds:
    print(f"Username: {username}, Password: {password}")

Once the authentication credentials are retrieved, the attacker can use these credentials to gain unauthorized access to SAP BOE systems and potentially carry out other malicious activities.

Original References

- CVE-2022-28214 - NVD
- SAP Security Note 3133379 - SAP sysmon Unauthorized Access

In order to protect your SAP BOE CMS from this vulnerability, you should

1. Apply the corresponding patch provided by SAP, which addresses the issue of exposing authentication credentials in Sysmon event logs.
2. Regularly review and monitor Sysmon log files, looking for any anomalies or indicators of compromise.

Restrict access to Sysmon logs and event log management interfaces to only authorized personnel.

4. Implement strong authentication mechanisms and consider employing multi-factor authentication (MFA) for critical systems such as SAP BOE CMS.

By following these recommendations, you can reduce the risk of unauthorized access to your SAP BOE systems and maintain the Confidentiality, Integrity, and Availability of your system.

Safeguarding your organization's critical data and applications against unauthorized access is of utmost importance. It is crucial to implement security best practices and apply patches as they become available to reduce the risk of potential attacks.

Timeline

Published on: 05/11/2022 15:15:00 UTC
Last modified on: 05/19/2022 03:17:00 UTC