The business software SAP is a black box in many places, and not much is known about how it works internally. This also offers some protection against attacks – but only until someone takes the trouble to analyze the proprietary concepts and look for vulnerabilities. That’s exactly what Fabian Hagg from Sec Consult did and promptly uncovered vulnerabilities that, in the worst case, allow code to be injected and executed (RCE).
Advertisement
After a two-year disclosure process, the group closed all of the gaps reported by Hagg with patches and the researcher documents his findings in a white paper, among other things. This means a lot of work for SAP admins, because not only the rolling out of the patches requires a lot of effort. The revelations about these vulnerabilities could be followed by others.
also read
Authentication with gaps
The SAP ABAP platform offers so-called Remote Function Calls (RFCs), via which servers, among other things, communicate with other SAP systems. There is a proprietary authentication system that they use to prove their identity and authorization. It is precisely here that Hagg uncovered a whole series of vulnerabilities that allow an attacker to carry out various attacks.
This is somewhat reminiscent of Windows networks in which the outdated authentication concepts NTLM and Kerberos are used. The spectrum of possible attacks on SAP ABAP ranges from spying on network traffic to taking over an identity, for example through replay, relay or pass-the-ticket attacks. “A successful attack can lead to a complete compromise of the system,” Hagg sums up in the Blog by Sec Consult. The researcher even sees the potential for a SAP worm if the patches are not installed.
Elaborate patches
To fix this, SAP released a whole series of patches. CVE-2021-33677, CVE-2021-27610 and CVE-2021-33684 already appeared in 2021, followed in January 2023 by CVE-2023-0014, which really packs a punch. Not only that it is classified as critical with a CVSS score of 9.8, but also because patching is by no means trivial.
Advertisement
Since the updates make quite profound changes to the design of the authentication, they not only require a (planned) downtime, but also a subsequent conversion of a profile parameter (rfc/allowoldticket4tt = 'no') to develop the protective effect. However, this must be coordinated across all ABAP servers, otherwise there will be problems in the interaction of the components. Nevertheless, SAP admins should get this project off the ground as soon as possible, because the attacks will come with knowledge of the vulnerabilities.
More research needed
Hagg is now gradually documenting his findings from the research project and will also publish tools and proof-of-concept demos for exploiting the individual vulnerabilities. He hopes to lay the foundation for more people to engage with SAP security and shed more light on the still largely unexplored concepts and protocols. However, it will not deliver a real exploit that connects the individual building blocks to a successful attack, Hagg explained to heise Security.
(yeah)