Researchers publish 4 critical SAP Bugs
Take action: If you haven't been patching your SAP instances regularly, it's time to have a 'war room' meeting with management and decide how and when you'll be patching. Because the vulnerabilities are public together with exploit code ready to be customized, deployed and automated.
Learn More
A technical report reveals critical vulnerabilities in SAP's Application Server for ABAP platform technology. The paper, authored by research firm SEC Consult, includes technical details and proof-of-concept code for four vulnerabilities affecting all releases and versions of SAP's NetWeaver Application Server ABAP and ABAP platform.
These flaws in the server-side implementation of the Remote Function Call (RFC) communications interface allow attackers to remotely execute arbitrary code, access critical data, move laterally to other SAP systems on the same network, and perform other malicious actions. At least one of the vulnerabilities affects the ABAP kernel, making a wide range of SAP products vulnerable.
SEC Consult warned that unauthenticated attackers could exploit these issues to take complete control of vulnerable application servers, leading to a compromise of data confidentiality, integrity, and availability. The research firm discovered and reported these vulnerabilities to SAP over the past two years, with the company issuing patches for each issue. However, SEC Consult delayed disclosing technical details to ensure SAP had enough time to address the problems effectively.
The four vulnerabilities reported by SEC Consult are
- CVE-2021-27610 - allows for privilege escalation
- CVE-2021-33677 - information disclosure flaw enabling attackers to remotely enumerate user accounts and execute specific requests
- CVE-2021-33684 - memory corruption
- CVE-2023-0014 - design issue enabling lateral movement in SAP system environments
SEC Consult classifies most of these vulnerabilities as critical, especially when CVE-2023-0014 and CVE-2021-27610 are combined, as they allow for easy lateral movement.
The vulnerabilities impact various business-critical SAP products, including
- SAP ERP Central Component (ECC),
- SAP S/4HANA,
- SAP Business Warehouse (BW),
- SAP Solution Manager (SolMan),
- SAP for Oil & Gas (IS Oil&Gas),
- SAP for Utilities (IS-U),
- SAP Supplier Relationship Management (SRM).
Organizations running these applications are strongly advised to implement the provided patches and configuration changes immediately to mitigate the risk of exploitation by threat actors.
