The Vulnerability Within: Unveiling the 4 SAP Bugs, Exposing an ABAP Kernel Flaw

Vulnerabilities in SAP‘s Application Server for ABAP Pose Significant Security Risks

Organizations running business-critical applications on SAP‘s Application Server for ABAP platform technology should be alarmed by the details revealed in a technical paper presented at Trooper’s cybersecurity conference in Germany. The paper, produced by research firm SEC Consult, highlights four critical vulnerabilities in the server-side implementation of the Remote Function Call (RFC) communications interface in all releases and versions of SAP‘s NetWeaver Application Server ABAP and ABAP platform (AS ABAP). These vulnerabilities allow attackers to remotely execute arbitrary code, access critical data, move laterally to other SAP systems on the same network, and perform malicious actions.

Scope of the Vulnerabilities

At least one of the vulnerabilities exists in the ABAP kernel, making a significant number of SAP products vulnerable. SEC Consult warned that “remote unauthenticated attackers may exploit the identified issues to take full control of vulnerable application servers. This could result in a full compromise of confidentiality, integrity, and availability of data.” The vulnerabilities affect a wide range of business-critical SAP products, including SAP ERP Central Component (ECC), SAP S/4HANA, SAP Business Warehouse (BW), SAP Solution Manager (SolMan), SAP for Oil & Gas (IS Oil&Gas), SAP for Utilities (IS-U), and SAP Supplier Relationship Management (SRM).

Timely Reporting and Patching

SEC Consult first discovered and reported these vulnerabilities to SAP over the past two years. Each vulnerability was promptly patched by SAP after being reported. However, SEC Consult deliberately waited until now to disclose the technical details and proofs of concept (PoCs) to allow sufficient time for SAP to address the issues comprehensively. Despite the patches being available, unpatched systems still pose a risk to organizations.

Johannes Greil, head of the SEC Consult Vulnerability Lab, emphasized the severity of the situation and advised organizations to implement the patches and necessary configuration changes immediately, as the issues carry critical risks. Greil further mentioned that SEC Consult had already informed many customers back in March 2023 and urged them to patch due to the high business risk associated with these vulnerabilities.

Technical Details of the Vulnerabilities

SEC Consult identified four vulnerabilities, each with its own unique impact:

1. CVE-2021-27610: An authentication bypass vulnerability in AS ABAP that allows adversaries to escalate privileges on affected systems. Successful exploitation can lead to full system compromise.
2. CVE-2021-33677: An information disclosure vulnerability in the AutoABAP/bgRFC Interface that enables an adversary to remotely enumerate user accounts and execute specific requests to targeted hosts and ports.
3. CVE-2021-33684: A memory corruption bug that can be exploited to remotely crash processes, gain remote code execution, and corrupt data.
4. CVE-2023-0014: A design issue that enables lateral movement within SAP system environments, allowing attackers to move laterally within networks.

Greil highlighted CVE-2023-0014 and CVE-2021-27610 as particularly critical vulnerabilities, as their combination permits easy lateral movement within SAP systems. He emphasized the need for a deep understanding of SAP‘s technology stack and naming conventions to perform such lateral attacks.

Expert Recommendations

In light of these vulnerabilities, organizations using SAP‘s Application Server for ABAP are advised to prioritize the following actions:

1. Implement the available patches and necessary configuration changes immediately to mitigate the risks.
2. Ensure regular updates and monitoring of patches provided by SAP to address any potential future vulnerabilities.
3. Strengthen cybersecurity measures by leveraging defense-in-depth strategies, such as network segmentation, strong access controls, and multifactor authentication.
4. Regularly conduct security assessments and penetration tests to identify and address any other vulnerabilities or weaknesses in the SAP environment.

While SAP has been proactive in addressing the reported vulnerabilities, organizations must remain vigilant and take steps to protect their systems and critical data. It is crucial to swiftly address any potential security threats and ensure the ongoing security of business-critical applications.