SAP has reported a vulnerability in the SAP GUI for Windows, which could expose a workstation to remote command execution. The vulnerability has been assigned a CVSS v3 Base Score of 8.0, which corresponds to severity level High.
Information on the vulnerability is in note 2407616.
All SAP GUI versions below 7.40 patch 12 are affected. The only solution is to upgrade the SAPGUI to 7.40 SP 12 (one exception to this is described in the note, but the exception applies only if you use a centralized SAPGUI security rules configuration; to our knowledge this feature is very rarely used).
The note also states: “SAP strongly recommends to activate the SAP GUI Security Module to protect the client PC from attacks being run via compromised SAP systems.”. This is normally always the case, but you can check it as follows:
- In the SAP Logon window, choose Options:
- Open Security > Security Settings. The status should be “Customized”:
Note, however, that having the Security Module enabled is not enough by itself to protect against the vulnerability: the security rule that causes the problem is in the protected section of the rule set (SAP and Administrator rules) and cannot be deleted. This is why you have to apply the SAP GUI patch (which contains a rule set with the problematic rule removed).
KEY SAP NOTES
|2407616||Remote Code Execution vulnerability in SAP GUI for Windows|
|1768979||Changes to the SAP GUI security rules file saprules.xml|