A cybersecurity firm has disclosed the details of critical SAP vulnerabilities, including a wormable exploit chain, that can expose organizations to attacks.
The vulnerabilities were reported to the enterprise software giant by Fabian Hagg, researcher at SEC Consult, an Austria-based cybersecurity consulting firm that is part of the Atos Group’s Eviden business. Hagg found the flaws as part of a research project that spanned three years, with patches being released by SAP in mid-2021 and January 2023.
The vulnerabilities are tracked as CVE-2021-27610, CVE-2021-33677, CVE-2021-33684 and CVE-2023-0014, and they impact products that use the SAP Application Server for ABAP component. This includes SAP ERP Central Component (ECC), S/4HANA, BW/4HANA, Solution Manager (SolMan), SAP for Oil & Gas, SAP for Utilities, Supplier Relationship Management (SRM), Human Capital Management (HCM), and Employee Central Payroll (ECP) products.
The issues, which include both design and implementation problems, were discovered during an analysis of the Remote Function Call (RFC) interface, which is designed for communication between SAP systems.
Two of the flaws have been assigned ‘critical’ severity ratings based on their CVSS score: CVE-2021-27610 and CVE-2023-0014.
Exploitation of the vulnerabilities discovered by Hagg can lead to a full system compromise. The attacker only needs network access to the targeted system.
Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that the impacted systems are typically only reachable internally, but there may be certain products and configurations that could allow exploitation of the vulnerabilities directly from the internet. No user interaction or special permissions are required to exploit the flaws.
The vulnerabilities can be dangerous individually, but they pose an even greater risk when chained, making automated exploitation possible. The exploit chain was described as having wormable attack capabilities, enabling lateral movement in SAP environments.
While patches have been released by the vendor, organizations need to ensure that they have installed the fixes. SEC Consult recommends prioritizing systems exposed to untrusted networks. In addition to patches, configuration changes and “complex system adjustments” are required to address one of the flaws, the security firm explained.
“In case patching is not an option, we advise to limit network-wise access (RFC/HTTP) to vulnerable servers as far as possible in order to minimize the available attack surface. Furthermore, we advise to fully enforce encrypted server-to-server communications by means of HTTPS and SNC. Lastly, please refer to the additional measures described by the vendor in the corresponding SAP notes and in the FAQ for Security Note 3089413,” SEC Consult said.
The research was also presented by Hagg on Thursday at the Troopers security conference in Germany.