A technical paper presented at Trooper’s cybersecurity conference in Germany has revealed critical vulnerabilities in SAP’s Application Server for ABAP platform technology. The paper, authored by research firm SEC Consult, provides technical details and proof-of-concept code for four vulnerabilities in the server-side implementation of the Remote Function Call (RFC) communications interface. These vulnerabilities affect all releases and versions of SAP’s NetWeaver Application Server ABAP and ABAP platform.
The vulnerabilities discovered by SEC Consult give attackers the ability to remotely execute arbitrary code on affected systems, access critical data, move laterally to other SAP systems on the same network, and perform other malicious actions. At least one of the flaws exists in the ABAP kernel, meaning that a large number of SAP products are impacted. SEC Consult cautioned that remote unauthenticated attackers could exploit these vulnerabilities to take full control of vulnerable application servers, resulting in a compromise of confidentiality, integrity, and availability of data.
SEC Consult researchers identified and reported these vulnerabilities to SAP over the past two years. The first vulnerability was discovered at the end of 2020, and the last one was found earlier this year. SAP promptly issued patches for each of the identified issues upon receiving reports from SEC Consult. However, SEC Consult deliberately waited until now to disclose the technical details of the flaws to ensure that SAP had sufficient time to address the issues properly.
Johannes Greil, head of the SEC Consult Vulnerability Lab, explained that the vulnerabilities affected a wide range of SAP products due to the impact on the ABAP kernel. Consequently, extensive work was necessary to mitigate and test the fixes for all impacted products.
The release of technical details and proofs of concept for these vulnerabilities now presents a risk, as threat actors could use the information to craft targeted attacks. Unpatched systems could pose a significant danger to organizations. Greil advised organizations to implement the patches and necessary configuration changes immediately to mitigate the critical risk posed by these vulnerabilities.
SEC Consult identified and reported four vulnerabilities to SAP. The first vulnerability, CVE-2021-27610, is an authentication bypass vulnerability in AS ABAP, allowing adversaries to escalate privileges on affected systems. This vulnerability enables attackers to establish their own communication with a vulnerable system and reuse leaked credentials to impersonate user accounts. Successful exploitation can result in a full system compromise.
CVE-2021-33677, another vulnerability identified by SEC Consult, is an information disclosure vulnerability in the AutoABAP/bgRFC Interface. This vulnerability enables an adversary to remotely enumerate user accounts and execute specific requests to targeted hosts and ports. Additionally, CVE-2021-33684 is a memory corruption bug that allows an attacker to remotely crash processes, gain remote code execution, and corrupt data. Lastly, CVE-2023-0014 is a design issue that facilitates lateral movement in SAP system environments.
Greil emphasized the criticality of most of these vulnerabilities, particularly CVE-2023-0014 and CVE-2021-27610, which, when combined, allow for easy lateral movement. He also noted that the most recent vulnerability requires additional configuration changes, making it more challenging to patch. Exploiting these vulnerabilities to perform lateral attacks and execute the attack chain would require a deeper technical understanding of SAP’s technology stack and naming conventions, which differ from common IT security protocols.
The impact of these vulnerabilities extends to several business-critical SAP products, including SAP ERP Central Component (ECC), SAP S/4HANA, SAP Business Warehouse (BW), SAP Solution Manager (SolMan), SAP for Oil & Gas (IS Oil & Gas), SAP for Utilities (IS-U), and SAP Supplier Relationship Management (SRM).
In light of these findings, organizations running business-critical applications on SAP’s Application Server for ABAP platform technology should take immediate action to patch their systems and implement the necessary configuration changes. The high business risk associated with these vulnerabilities underscores the importance of prioritizing their mitigation to safeguard the confidentiality, integrity, and availability of critical data and systems.