CVE-2021-27613 – SAP Business One Hana (Chef Cookbook) – Insecure Temporary File For Incoming & Outgoing Payroll Data – SAP Business One Chef Cookbook.

Title

SAP Business One Hana (Chef Cookbook) – Insecure Temporary File For Incoming & Outgoing Payroll Data – SAP Business One Chef Cookbook 0.1.9 and below for Microsoft Windows Server 2008.

CVE ID

CVE-2021-27613

CVSS Score

7.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Internal ID

SICK-2021-026

Vendor

SAP

Product

SAP Business One Hana Chef Cookbook

Product Versions

0.1.9 and below

Software Component Versions

9.2, 9.3, 10.0

Vulnerability Details

SAP Business One Hana Chef Cookbook 0.1.9 and below use an insecure temporary folder C:\Temp to store incoming and outgoing payroll data. An authenticated local attacker with can manipulate sensitive payroll data given there is unprivileged access to all users on the server by sending and receiving data in an insecure temporary folder.

Vendor: Under certain conditions, SAP Business One Chef cookbook, version – 9.2, 9.3, 10.0, used to install SAP Business One, allows an attacker to exploit an insecure temporary folder for incoming & outgoing payroll data and to access information which would otherwise be restricted, which could lead to Information Disclosure and highly impact system confidentiality, integrity and availability.

Vendor Response

Vendor has fixed the vulnerability, published a patch, and deprecated the repository.

Proof of Concept

    <PayrollPathInc>C:\Temp\In</PayrollPathInc>
    <PayrollPathOut>C:\Temp\Out</PayrollPathOut>

Disclosure Timeline

• 2021-04-12 – Researcher discover vulnerabilities
• 2021-04-15 – Vendor deprecates repository
• 2021-05-10 – Vendor assigns CVE-2021-27613
• 2021-05-11 – Vendor publishes vulnerabilities
• 2021-06-08 – Researcher publishes advisory

Links

https://launchpad.support.sap.com/#/notes/3049755

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655

https://github.com/SAP/business-one-chef-cookbook

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-026.md

https://sick.codes/sick-2021-026

Researchers

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/

CVE Links

https://sick.codes/sick-2021-026

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27613

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27613