Patchwork Fails: SAP’s Vulnerability Patch Bypassed Again!

Despite efforts to patch an open redirect vulnerability (CVE-2020-6215) in their Business Server Pages (BSP) test application, SAP finds their fix bypassed by hackers, turning a serious business software into a comedy of errors.

Hot Take:

SAP might be a global giant in business process software, but it seems like they’ve fumbled the ball when it comes to patching a vulnerability. Despite their efforts to patch an open redirect vulnerability (CVE-2020-6215) in their Business Server Pages (BSP) test application it00, hackers have found a way to dance around it. This is like having a hole in your pants, patching it up, only to find the patch itself has a hole. The only difference is, instead of your undies on show, it’s your sensitive business data. Talk about a fashion disaster!

Key Points:

  • SAP’s patch for the open redirect vulnerability (CVE-2020-6215) in their BSP test application it00 has been bypassed.
  • SEC Consult discovered the flaw, which enables attackers to redirect users to arbitrary sites, increasing the risk of successful phishing attacks.
  • The vulnerability exists in the SAP Application Server ABAP and ABAP Platform (SAP_BASIS).
  • SAP has released a new patch (SAP Security Note 3258950) to fix the bypass issue.
  • The issue was first identified in September 2022, with the patch released in December of the same year.

The Back Channel:

Patchwork Quilts and Software Don't Mix

SAP was quick to patch an open redirect vulnerability in their BSP test application it00, but it seems their patch had a few stitches missing. Hackers found a way to bypass the patch, potentially exposing users to phishing attacks. It's like a bad horror movie sequel: "Nightmare on SAP Street: The Return of CVE-2020-6215."

Nothing Escapes the Eagle Eye of SEC Consult

The bypass was discovered by SEC Consult, the cyber-guardians who never sleep. Their recommendation? Implement the new patch SAP has released, and do it pronto. After all, who wants to become a phishing statistic?

The Long Road to Patchville

The journey to securing this vulnerability has been a long one. The issue was first identified by Fabian Hagg of SEC Consult in September 2022. SAP confirmed the vulnerability and released a patch in December 2022. A little slow off the mark, perhaps, but better late than never.

The Final Solution

SAP has released a new patch (SAP Security Note 3258950) to fix the bypass issue. It's available via the SAP Customer Launchpad. So, if you don't want your business data to become public knowledge, it's time to patch up and lock down.

Workaround for the Wary

If you're still twitchy about this vulnerability, there's a workaround. You can disable the BSP test application it00 in the ICF service tree in transaction SICF. But remember, a workaround is like a band-aid – it's not a permanent fix.
Tags: BSP Application, Open Redirect Vulnerability, Patch Bypass, phishing attacks, SAP Security, SEC Consult, software vulnerabilities