Researchers from Onapsis have revealed new attack vectors for SAP that combine existing vulnerabilities, potentially leading to devastating chained exploits. The attacks were presented at the Black Hat 2023 session by lead security researcher Pablo Artuso and fellow researcher Yvan Geuner. In their session titled “Chained to Hit: Discovering New Vectors to Gain Remote and Root Access in SAP Enterprise Software,” they demonstrated how three different attacks could be combined to gain root access into the SAP system.
The attacks showcased in the session were the result of chaining together three different research projects conducted by Onapsis. By linking these projects, the researchers discovered that they could gain HTTP access and subsequently obtain root access into the SAP system without requiring authentication.
The first step in the attack involved gaining HTTP access to a target network. Once this was achieved, the researchers exploited a flaw in SAP NetWeaver Enterprise Portal, known as CVE-2023-28761, which enabled them to launch applications without authorization. This vulnerability also allowed unauthenticated attackers to access and modify server settings and data.
Moving on to the second stage of the attack chain, the Onapsis researchers targeted a proprietary SAP protocol called P4, which is based on Remote Method Invocation, a Java API. P4 is present in all SAP NetWeaver Application Servers for Java and is primarily used for remote communications. Although P4 services are rarely exposed to the internet, they can cause significant damage if exploited. Onapsis previously disclosed a series of vulnerabilities known as “P4Chains,” some of which impact the protocol and are utilized in these new chained attacks. Exploiting these vulnerabilities can render seemingly less-severe vulnerabilities more dangerous, as stated in Onapsis’ report titled “P4Chains: Unpacking the Impact of Vulnerabilities Affecting SAP P4.”
After exploiting the NetWeaver Enterprise Portal flaw and gaining access to the P4 service, the researchers then targeted CVE-2023-23857, a denial-of-service and arbitrary file read vulnerability in P4, and CVE-2023-27497, a remote code execution vulnerability in the SAP Diagnostics Agent. These vulnerabilities have CVSS scores of 9.9 and 10, respectively. Other flaws exploited during this stage included a server-side request forgery vulnerability in SAP Solution Manager (CVE-2023-36925) and an SQL injection flaw impacting the P4 service (CVE-2022-41272), both of which received critical CVSS scores.
The final stage of the attack, Stage 3, involved leveraging a privilege escalation vulnerability in SAP Host Agent (CVE-2023-24523) to achieve root access to the target system. This vulnerability has a CVSS score of 8.8.
Onapsis researchers provided a detailed list of the flaws exploited in these attacks and strongly advised enterprises to patch all of them, regardless of their perceived severity. The presentation demonstrated that threat actors can exploit multiple paths to reach Stage 3 and gain root access.
While executing these attacks does not necessarily require advanced threat actors, possessing SAP knowledge is essential. According to Artuso, the level of difficulty to execute the attack chain is medium. He added, “Besides exploitation level, attackers would need SAP knowledge and internal knowledge [of the target network] to be able to exploit the vulnerabilities.”
One positive aspect for defense is that mitigating just one step compromises the entire attack chain, as highlighted by Onapsis CTO JP Perez-Etchegoyen. By addressing and patching even a single component, enterprises can diminish the overall risk. The importance of configuring access control lists (ACLs) is also emphasized in preventing these attacks.
The significance of SAP security for enterprises was underscored by Artuso. He stressed that SAP systems are vulnerable, often overlooked in terms of security, and require attention. The increased interest of threat actors in targeting SAP applications further reinforces the importance of security awareness. Perez-Etchegoyen highlighted that attackers now actively exploit SAP applications, incorporating them into their campaigns and updating malware and ransomware accordingly.
It is worth noting that SAP applications do not necessarily have more vulnerabilities than other software. However, Perez-Etchegoyen expressed concerns about the preparedness of enterprises in addressing SAP software. While there has been improvement in SAP vulnerability patch management, he believes more work still needs to be done. He emphasized that enterprises need to have the necessary processes and resources to address SAP vulnerabilities, just like they do with other software in their landscape. Staying up to date with Patch Tuesday alerts and configuring specific ACLs to restrict access to certain services are essential resources in SAP security.
Overall, the Onapsis researchers’ findings shed light on significant vulnerabilities in SAP systems and emphasize the importance of diligent patching and security measures for enterprises. The chained attacks presented at Black Hat 2023 demonstrate the potential for devastating exploits and highlight the need for improved SAP security practices.