A researcher has documented what he says are several critical vulnerabilities affecting enterprise software solutions running on ubiquitous SAP platforms.
In a paper presented at a European cyber security conference today, Fabian Hagg outlines his work laboratory-testing the server-to-server communications bugs and design flaws discovered in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform.
The laboratory analysis “yielded alternate logon material, cryptographic failures, memory corruptions, and ABAP (Advanced Business Application Programming) programming pitfalls,” he said.
The vulnerabilities relate to Remote Function Call (RFC), SAP’s long-standing proprietary interface protocol. Three of them date back to 2021 and 2022, while the fourth was discovered in January earlier this year. Two are rated 9.8 on the CVSS scale for severity. While patches have since been developed for all four, users with unpatched versions of SAP software are still vulnerable.
Hagg said the attack chain could affect all enterprise software solutions running on top of SAP AS ABAP platform technology. Impacted business-critical software could include SAP ERP Central Component, SAP S/4HANA, SAP BW/4HANA, SAP Business Warehouse, SAP Solution Manager, SAP for Oil & Gas, SAP for Utilities, SAP Supplier Relationship Management, SAP Human Capital Management, and SAP Employee Central Payroll.
Because RFC is required for all systems operating Application Server ABAP, it is “one of the most appealing targets for attacks on business-critical SAP system landscapes” and could be exploited to achieve remote code execution (RCE).
The researcher shared his findings in a technical whitepaper presented today at the Troopers cybersecurity conference in Heidelberg, Germany. The title of the paper is: “Everyone knows SAP, everyone uses SAP, everyone uses RFC, no one knows RFC: From RFC to RCE 16 years later”.
The research community has been aware of RFC vulnerabilities since 2007 when Onapsis CEO Mariano Nunez first spoke about them at a Black Hat Europe conference. In 2015, Nunez told SC Media that executing operating system commands using admin privileges to exploit an RFC vulnerability was the second most common type of attack targeting SAP proprietary protocols. Only customer and supplier portal attacks were more common, he said.
“Because of its historical significance, RFC still holds its position as the de facto standard for interconnectivity in SAP system landscapes,” Hagg said in his paper.
“Although new integration options, primarily focused on adopting REST-based data services such as those exposed via the Open Data Protocol (OData), are widely available, RFC persists in use.”
The paper outlined how four known and patched RFC-related vulnerabilities could be harnessed by threat actors to gain access to SAP systems and achieve lateral movement.
“Although the identified vulnerabilities are located in different components of the RFC interface implementation in AS ABAP, they can be combined into a pre-auth RCE exploit chain,” Hagg wrote.
An attacker could exploit an Out-of-Bounds Write vulnerability (CVE-2021-33684) to mount an attack in which a payload is prepared that triggers a Server Side Request Forgery vulnerability (CVE-2021-33677) allowing an unauthorized connection from the target system back to a rogue RFC server hosted on an attacker-controlled machine.
“At this stage of the attack, it is possible to deploy the received logon tickets (CVE-2021-27610, CVE-2023-0014) in newly crafted requests,” the paper said.
“The final payload is delivered as ABAP source code provided in a specific import parameter to function call RS_FUNCTIONMODULE_INSERT that enables [the attacker] to plant new functions into the ABAP repository, bypassing any restrictions based on system/client modifiability settings, SAP Software Change Registration (SSCR) keys and the ABAP namespaces concept.”
Hagg said SAP users who haven’t already patched should urgently update vulnerable systems to protect themselves from the kinds of RFC attack his research highlights.
“Facing the patch process complexity, this research has also shown that hidden design flaws in historically grown software products that are characterized by a high customizability standard, complex code bases, and a lock-in effect, may lead to a shared responsibility model in which both vendors and users have to take proactive actions to ensure secure operations in long term,” he wrote.
“This involves implementing hardening measures and following a defense in depth approach for reducing the impact of unknown vulnerabilities, potentially hiding in plain sight.”
