A cybersecurity company has brought to light critical vulnerabilities in SAP, including a wormable exploit chain, that could make organizations susceptible to attacks. These vulnerabilities were identified and reported to SAP by Fabian Hagg, a researcher at SEC Consult, a cybersecurity consulting company based in Austria and owned by Atos. The vulnerabilities were discovered during a three-year research project, with SAP releasing patches to address these issues in mid-2021 and January 2023.
The vulnerabilities are identified as CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014, and they affect products that employ the SAP Application Server for ABAP component. This includes a range of SAP products such as SAP ERP Central Component (ECC), S/4HANA, BW/4HANA, Solution Manager (SolMan), SAP for Oil & Gas, SAP for Utilities, Supplier Relationship Management (SRM), Human Capital Management (HCM), and Employee Central Payroll (ECP) products.
These vulnerabilities, which comprise both design and implementation issues, were revealed during an analysis of the Remote Function Call (RFC) interface, a component designed for communication between SAP systems. Two of these vulnerabilities, CVE-2021-27610 and CVE-2023-0014, have been given 'critical' severity ratings based on their CVSS score.
Exploiting these vulnerabilities can lead to a complete system compromise, with the attacker only needing network access to the target system. Johannes Greil, head of the SEC Consult Vulnerability Lab, stated that these systems are usually only accessible internally, but certain products and configurations could allow exploitation of the vulnerabilities directly from the internet. No user interaction or special permissions are required to exploit these vulnerabilities.
These vulnerabilities can be harmful individually, but when chained, they pose an even greater risk, enabling automated exploitation. The exploit chain was characterized as having wormable attack capabilities, facilitating lateral movement in SAP environments.
While SAP has released patches to address these issues, it is crucial for organizations to ensure they have applied these fixes. SEC Consult advises prioritizing systems exposed to untrusted networks. In addition to patches, configuration changes and “complex system adjustments” are needed to address one of the vulnerabilities, according to the security firm.
SEC Consult also provided advice for situations where patching is not an option: 'limit network-wise access (RFC/HTTP) to vulnerable servers as far as possible in order to minimize the available attack surface. Furthermore, we advise to fully enforce encrypted server-to-server communications by means of HTTPS and SNC.'
SEC Consult has published a paper detailing these vulnerabilities and providing a thorough analysis of the RFC protocol. A blog post summarizing the findings has also been published by the company, and the research was presented by Hagg at the Troopers security conference in Germany.