CVE-2018-2408 : Security Advisory and Response

SAP Business Objects versions 4.0, 4.10, 4.20, and 4.30 are affected by an improper session management vulnerability that allows previously active sessions to remain active after a user changes their password.

Understanding CVE-2018-2408

This CVE involves a security issue in SAP Business Objects versions 4.0, 4.10, 4.20, and 4.30, specifically within CMC/BI Launchpad/Fiorified BI Launchpad.

What is CVE-2018-2408?

The vulnerability in SAP Business Objects allows active sessions created with an old password to persist even after a user changes their password.

The Impact of CVE-2018-2408

The impact of this vulnerability is rated as HIGH with a CVSS base score of 7.3. It poses a risk to the confidentiality, integrity, and availability of the affected systems.

Technical Details of CVE-2018-2408

This section provides more technical insights into the vulnerability.

Vulnerability Description

The vulnerability arises from improper session management in SAP Business Objects versions 4.0, 4.10, 4.20, and 4.30, affecting CMC/BI Launchpad/Fiorified BI Launchpad.

Affected Systems and Versions

Product: SAP Business Objects
Vendor: SAP SE
Affected Versions: 4.0, from 4.10, from 4.20, 4.30

Exploitation Mechanism

The vulnerability allows threat actors to retain access to active sessions using an old password, potentially leading to unauthorized access.

Mitigation and Prevention

Protecting systems from CVE-2018-2408 requires immediate actions and long-term security practices.

Immediate Steps to Take

Monitor and terminate active sessions regularly.
Implement password policies that force session re-authentication after a password change.
Apply security patches provided by SAP.

Long-Term Security Practices

Conduct regular security audits to identify vulnerabilities.
Educate users on secure password practices and session management.

Patching and Updates

Apply the latest security patches released by SAP to address the session management vulnerability.