CVE-2022-35295: 
Sap Host Agent vulnerability analysis and mitigation

In SAP Host Agent (SAPOSCOL) version 7.22, a vulnerability was discovered that allows an attacker to use files created by saposcol to escalate privileges. The vulnerability was identified in February 2022 and publicly disclosed on September 13, 2022. This issue affects the SAP Host Agent component, which is responsible for life-cycle management tasks including operating system monitoring, database monitoring, and system instance control (SEC Consult).

The vulnerability stems from multiple issues related to UNIX insecure file handling in the saposcol process. The main saposcol service runs with root privileges and creates files in its default working directory (/usr/sap/tmp). The process follows symbolic links when trying to open/create these files without proper verification, allowing an attacker to manipulate file access. The vulnerability received a CVSS v3 base score of 4.9, indicating medium severity, with attack vector being Network, requiring High privileges, and no user interaction needed (AttackerKB).

The vulnerability allows an authenticated attacker with adm privileges to escalate to root privileges on UNIX systems. This could lead to full system compromise, allowing the attacker to read, write, or corrupt files owned by the root user account. The impact is particularly severe as it affects critical system files and could lead to unauthorized access to sensitive data (SEC Consult).

SAP has released a patch in Security Note 3159736 which should be installed immediately. As a workaround, organizations can remove write access to the DIR_PERF (e.g., /usr/sap/tmp) directory for the adm account, though this may interfere with other programs such as CCMS (SEC Consult).