If a SAP 3D Visual Enterprise Author - version 9 user opens a file with malicious Jupiter Tesselation (.jt) without any protection he/she can be affected by this vulnerability. To exploit this vulnerability, an attacker needs to trick a user to open a file from untrusted sources. This can be accomplished by sending malicious link, attachments in email, posting a Tesselation on a compromised website, etc.
If an attacker has access to the SAP system, they can also drop the malicious Tesselation (.jt) in system directory. An attacker can also create a malicious Tesselation (.jt) that looks like it’s coming from trusted source. In both scenarios, when a victim opens the file with malicious Jupiter Tesselation (.jt), the program will try to load the malicious code into memory. It is possible that when a user opens a file, the program attempts to load the code into memory. If the code is loaded into memory successfully, the attacker can use a stack-based overflow or a re-use of a dangling pointer which refers to overwritten space in memory. It is imperative to keep an eye out for the following behavior from your SAP system when receiving a malicious Jupiter Tesselation (.jt) file: - Redirection of SAP system pages to a remote server - Unusual SAP system behavior like RAM usage spikes, freezes, etc - Unauthorized remote connections being made to the SAP system - Unusual access to
How to check if you’re vulnerable to the SAP Jupiter Tesselation Remote Code Injection vulnerability
To check for potential vulnerability, search for the following service reports in the SAP system:
- SAP Security System (SAPSS)
- SAP Systems Security Events (SSDE)
- System Logs
Timeline
Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 20:06:00 UTC