Organizations running business-critical applications on SAP's Application Server for ABAP platform technology may want to read and heed details of a technical paper presented at Trooper's cybersecurity conference in Germany this week.
The paper, from research firm SEC Consult, provides technical details and proof-of-concept (PoC) code for four critical vulnerabilities in the server-side implementation of the Remote Function Call (RFC) communications interface in all releases and versions of SAP's NetWeaver Application Server ABAP and ABAP platform (AS ABAP).
ABAP Kernel Affected By At Least One Of the Flaws
The vulnerabilities give attackers a way to remotely execute arbitrary code on affected systems, access critical data, move laterally to other SAP systems on the same network, and execute other malicious actions. At least one of the flaws exists in the ABAP kernel, meaning a very large number of SAP products are affected.
"Remote unauthenticated attackers may exploit the identified issues to take full control of vulnerable application servers. This could result in a full compromise of confidentiality, integrity, and availability of data," SEC Consult said in a note to customers warning about the issues; it also shared the warning with Dark Reading.
Researchers at SEC Consult discovered and reported the vulnerabilities to SAP over the last two years. They identified the first one at the end of 2020 and the last one earlier this year. SAP issued patches for each of the identified issues soon after SEC Consult reported them to the company. Even so, SEC Consult waited till now to disclose technical details of the flaws to ensure SAP had enough time to properly address the issues.
"The identified vulnerabilities affected many different SAP products as the ABAP kernel was affected," says Johannes Greil, head of the SEC Consult Vulnerability Lab. "Hence profound work needed to be done to mitigate and test/verify the fixes for all of those products."
With technical details and proofs of concept (PoCs) for the flaws now becoming available, threat actors have information to craft targeted attacks, he says. So unpatched systems could pose a risk for organizations. "Our advice is — if it was not already done — to implement the patches and necessary configuration changes immediately as the issues are of critical risk," Greil notes. "Because of the high business risk, we also informed many customers already a few months ago in March 2023 and urged them to patch."
Details On the Four Bugs
The four vulnerabilities that SEC Consult discovered and reported to SAP are CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014.
CVE-2021-27610 is an authentication bypass vulnerability in AS ABAP that allows adversaries to escalate privileges on affected systems. The vulnerability gives attackers a way to establish their own communication with a vulnerable system and reuse leaked credentials to impersonate user accounts and claim a trusted identity. Successful exploitation can lead to full system compromise, SEC Consult said.
SEC Consult described CVE-2021-33677 as an information disclosure vulnerability in the AutoABAP/bgRFC Interface that allows an adversary to remotely enumerate user accounts and get the vulnerable service to execute specific requests to targeted hosts and ports. CVE-2021-33684 is a memory corruption bug that an attacker can exploit to remotely crash processes, gain remote code execution, and corrupt data. CVE-2023-0014, the most recent of the four flaws that SEC Consult reported to SAP, is a design issue that enables lateral movement in SAP system environments.
Greil describes most of the vulnerabilities as critical, especially CVE-2023-0014 and CVE-2021-27610, which, when combined, allow for easy lateral movement. "The current one from 2023 is especially important because it is more effort to patch because of additional necessary configuration changes," Greil says. Some deeper technical SAP understanding would be necessary to perform lateral attacks and exploiting the attack chain because the SAP technology stack and naming conventions differ from the usual IT security protocols, he notes. "The buffer overflow is also of high risk because it is exploitable before authentication. But we did not verify remote code execution," Greil says.
The vulnerabilities exist in a wide range of business-critical SAP products including SAP ERP Central Component (ECC), SAP S/4HANA, SAP Business Warehouse (BW), SAP Solution Manager (SolMan), SAP for Oil & Gas (IS Oil&Gas), SAP for Utilities (IS-U), and SAP Supplier Relationship Management (SRM).