fbpx

SAP Fixes Issue on SAP NetWeaver Application Server ABAP Platform

SAP-NetWeaver-Application-Server.png

SAP has patched a serious Improper Authentication vulnerability on SAP NetWeaver Application Server (AS) ABAP and ABAP Platform that can be used to bypass protection against external calls.

To ensure clients are protected against potential cybersecurity attacks, the SAP Product Security Response Team delivers SAP Security Notes every second Tuesday of every month to fix vulnerabilities discovered in SAP products. On the 8th of June 2021, 20 new and updated SAP security patches — including two Hot News Notes and four High Priority Notes — have been released.

SAP Security Note #3007182, with an assigned CVSS score of 9.0, provides a kernel patch and an ABAP correction to fix the Improper Authentication vulnerability on SAP NetWeaver AS ABAP and ABAP Platform.

As the central foundation for the entire SAP software stack, SAP NetWeaver AS provides a platform for other SAP NetWeaver components as well as for ABAP and Java applications. Aimed at delivering a high level of robustness and supportability for the applications running on it, the platform consists of the Application Server ABAP (AS ABAP) and the Application Server Java (AS JAVA).

The analysis released by Onapsis, an SAP ERP application security solutions provider, stated that an ABAP server could not correctly identify in full if communication through RFC (Remote Function Call) or HTTP (Hypertext Transfer Protocol) is between the application servers of the same SAP system or with servers outside the same system. Researcher Thomas Fritsch explained:

“This enabled a malicious user to abuse stolen credentials from an internal communication between two servers of the same system for external RFC or HTTP calls. The credential data could be used to establish an own connection between a malicious external program and the affected SAP system pretending to be an internal caller.”

Addressing Vulnerabilities on SAP NetWeaver Application Server Platform

The Onapsis Research Labs contributed to addressing 20 vulnerabilities on SAP’s June Patch Day as part of the organisation’s objective to help SAP protect its customers. The patches are covered by six SAP Security Notes, four of which are designated as High Priority.

SAP Security Note #3053066, tagged with a CVSS score of 8.6, fixes a missing XML validation vulnerability in SAP NetWeaver AS Java. This lack of validation, according to Onapsis Research Labs, allows a user who is authenticated as an administrator to connect over a network and submit a malicious XML file. Furthermore, processing the file could put the system’s availability at risk and lead it to crash.

Meanwhile, SAP Security Notes #3021197, #3020209, and #3020104, all with assigned CVSS scores of 7.5, patch 11 vulnerabilities that can cause memory corruptions in SAP Gateway process, Enqueue process, work processes, and dispatched process.

Tagged with a CVSS score of 5.9, SAP Security Note #3021050 fixes seven vulnerabilities in the portwatcher and several interpreters by providing additional input validation of incoming IGS requests.

Lastly, the Onapsis Research Labs also discovered a Missing Authorisation vulnerability in SAP NetWeaver AS ABAP and ABAP Platform. Tagged with a CVSS score of 6.3, SAP Security Note #3002517 patches a lack of appropriate authorisation checks in an RFC enabled function module of SAP Records Management. 

Collaboration Between Onapsis Research Labs and SAP

Moreover, Onapsis and SAP have been collaborating closely to detect and resolve significant issues in SAP software, ensuring that clients are protected proactively. Last April, a cyber threat intelligence report jointly developed by the two companies provided actionable information that would help customers defend their mission-critical SAP applications from active cyber threats.

Although SAP releases monthly updates to address serious vulnerabilities, customers are expected to continue to apply mitigations and system adjustments regularly to keep critical business data and processes secure and compliant.

“SAP’s June Patch Day has shown that it would be careless to not expect security issues in software components that already exist for decades. In particular, the major kernel processes are often subject to extensions and adjustments to meet new technical requirements so that they cannot be considered as “rock solid” just because of their age,” Fritsch concluded.

Share this post

submit to reddit
scroll to top