Advisory
On 10.09.2024 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP BusinessObjects Business Intelligence Platform.
SAP Note 3425287 addresses "[CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform" to prevent dll hijacking vulnerability with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
SAP BusinessObjects Business Intelligence Platform allows a high privilege user to run client desktop applications even if some of the DLLs are not digitally signed or if the signature is broken. The attacker needs to have local access to the vulnerable system to perform DLL related tasks. This could result in a high impact on confidentiality and integrity of the application.Solution
To enable binaries signature check, please refer to SAP Note 3472256. This issue is fixed in the patches listed in the "Support Packages & Patches" section below. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Update in progress".