CVE-2021-27616 – SAP Business One Hana (Chef Cookbook) – Exposure of Backup File to an Unauthorized Control Sphere via Insecure Temporary File Storage.

Title

SAP Business One Hana (Chef Cookbook) – Exposure of Backup File to an Unauthorized Control Sphere via Insecure Temporary File Storage.

CVE ID

CVE-2021-27616

CVSS Score

7.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Internal ID

SICK-2021-029

Vendor

SAP

Product

SAP Business One Hana Chef Cookbooks

Product Versions

0.1.9 and below

Product Versions

8.82, 9.0, 9.1, 9.2, 9.3, 10.0

Vulnerability Details

A vulnerability in the backup functionality of SAP Business One Hana Chef Cookbook 0.1.9 and below uses an insecure temporary folder to create and modify application backup data. A local unprivileged attacker can read and potentially write to /tmp/backup_service allowing access to private backup data.

Vendor: Under certain conditions, SAP Business One Hana Chef Cookbook, versions – 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access information which would otherwise be restricted, resulting in Information Disclosure vulnerability highly impacting the confidentiality, integrity and availability of the application.

Vendor Response

Vendor has fixed the vulnerability, published a patch, and deprecated the repository.

Proof of Concept

BCKP_PATH_WORKING=/tmp/backup_service

Disclosure Timeline

• 2021-04-12 – Researcher discover vulnerabilities
• 2021-04-15 – Vendor deprecates repository
• 2021-05-10 – Vendor assigns CVE-2021-27616
• 2021-05-11 – Vendor publishes advisory
• 2021-06-08 – Researcher publishes advisory

Links

https://launchpad.support.sap.com/#/notes/3049661

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655

https://github.com/SAP/business-one-hana-chef-cookbook

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-029.md

https://sick.codes/sick-2021-029

Researchers

Sick Codes: https://github.com/sickcodes || https://twitter.com/sickcodes

Miklos Zoltan: https://twitter.com/mzb4455 || https://www.privacyaffairs.com/authors/miklos/

CVE Links

https://sick.codes/sick-2021-029

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27616

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27616