A remote code execution (RCE) vulnerability in SAP GUI (Graphical User Interface) exposes unpatched systems to malware attacks such as ransomware, ERPScan security researchers warn.
The flaw was discovered in December 2016, and SAP was informed on the issue the same month, yet a fix was released only as part of SAP’s March 2017 security updates. The flaw was found in SAP GUI for Windows 7.20 to 7.50, and was assessed with a High severity rating (a CVSS Base Score of 8.0).
SAP GUI is a platform that offers remote access to the SAP central server in a company network. To exploit the vulnerability and bypass SAP GUI security policy to execute the code, an attacker would have to use special ABAP (Advanced Business Application Programming) code.
According to ERPScan, a company specialized in securing SAP and Oracle applications, the vulnerability could allow an attacker to “access arbitrary files and directories located in an SAP-server filesystem, including an application’s source code, configuration, and critical system files.” Actors could use the bug to obtain critical technical and business-related information stored in a vulnerable SAP-system.
“When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt,” ERPScan explains.
The security researchers also explain that regsvr32.exe can be used to load DLL files from a remote SMB share and execute DllMain function. To reproduce the flaw, one can compile a DLL file and upload it to a SMB share, create an ABAP program and replace the DllMain path to the share path, then execute the program.
“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation,” Vahagn Vardanyan, one of the ERPScan researchers who discovered this bug, says.
Responding to a SecurityWeek inquiry, ERPScan’s Darya Maenkova explains that an attacker can create a malicious transaction and then simply compromise the SAP Server to put the transaction into autoloading. She also explains that attackers could use a remotely exploitable vulnerability to compromise the server.
“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware. Next time a user tries to run an SAP GUI application, the malicious transaction will be executed and prevent from logging on SAP Server,” Maenkova says.
Once an attacker manages to compromise a system, however, they can execute any command remotely (the command is running with the privileges of the service that executed the command). This means that an attack where a ransom is demanded in exchange of regaining access to the affected systems is only one of the possible scenarios the flaw can abused in. Ransomware, however, remains one of the easiest ways to mass exploit the bug for financial gain.
The good news, however, is that ERPScan isn’t aware of the vulnerability being exploited in the wild. However, affected customers are advised to apply the released patch as soon as possible, as well as to implement “a vulnerability management process to continuously monitor, identify, evaluate, and mitigate vulnerabilities.”
In the case of this SAP GUI vulnerability, however, the patching process is a rather long and laborious operation, because the patch needs to be installed on each and every PC within the network, ERPScan explains.