CVE-2022-39802 SAP MES version 15.1, 15.2, 15.3 has an exploitable file path parameter vulnerability. The attacker can manipulate the file path to access arbitrary files on the server.

In SAP Manufacturing Execution, a user can create a manufacturing job in the Work Orders system. This can be done manually or by using a Work Orders RF code. The Work Orders RF code is a special SAP interface that allows a manufacturing customer to create a manufacturing job and schedule a production order to be created within a given time period, or a future date. An attacker may be able to leverage this system to create a manufacturing job that is scheduled to occur in the future. If no time restrictions exist, the attacker may be able to create a manufacturing job that occurs at an unacceptably late time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably early time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably short time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably long time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system. An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system. An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system. An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system

Misconfigured SAP System

An attacker may be able to create a manufacturing job that occurs at an unacceptably long time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably short time of day.

Overview of SAP Manufacturing Execution

There are many ways an attacker may be able to create a manufacturing job within the Work Orders system. A user must take caution when scheduling the manufacturing job, as there are many factors that can affect the time in which it occurs.

Vulnerability Scenario

An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system.

Vulnerability - CVE-2022-39803

The Work Order RF code is a special SAP interface that allows a manufacturing customer to create a manufacturing job and schedule a production order to be created within a given time period, or a future date. An attacker may be able to leverage this system to create a manufacturing job that is scheduled to occur in the future. If no time restrictions exist, the attacker may be able to create a manufacturing job that occurs at an unacceptably late time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably early time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably short time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably long time of day. An attacker may be able to create a manufacturing job that occurs at an unacceptably long distance from the system

Timeline

Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/28/2022 20:49:00 UTC

References

• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://launchpad.support.sap.com/#/notes/3242933
• http://packetstormsecurity.com/files/168716/SAP-Manufacturing-Execution-Core-15.3-Path-Traversal.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39802