Security flaws could have enabled data theft, disruption of operations
Attackers could have taken advantage of vulnerabilities in SAP software to steal passwords and session IDs, attack internal services, and pose as a user to carry out malicious actions. The vendor has already released patches for the vulnerabilities, which were discovered by Positive Technologies experts Alexandr Shvetsov and Mikhail Klyuchnikov.
Two of the vulnerabilities involve Cross-Site Scripting (XSS), which targets site visitors by planting malicious code on a legitimate website. The more dangerous of the pair (CVE-2017-16685, CVSSv3 score 6.9) was identified in versions 7.50 and earlier of the Universal Data Integration component of SAP Business Warehouse. The second vulnerability (CVSSv3 score 5.4) was detected in SAP NetWeaver Development Infrastructure Cockpit and is the subject of SAP Security Note 2444673.
Paolo Emiliani, Industry and SCADA Research Analyst Manager at Positive Technologies, described the dangers for unpatched systems: "Both vulnerabilities are caused by failure to properly filter values in user requests to the server. As a result, an attacker can run arbitrary JavaScript code in the user's web browser. It is enough to simply send a specially crafted link (as with CVE-2017-16685) or inject malicious code into the application page after logging in as a user (as in Security Note 2444673). In either case, the attacker can steal a user's session ID or perform actions in the application from the victim's account."
Another vulnerability identified by Positive Technologies (CVE-2017-16678, CVSSv3 score 6.6) affects SAP NetWeaver Knowledge Management Configuration Service, which is responsible for system configuration. This Server-Side Request Forgery (SSRF) vulnerability puts server functionality at the disposal of an attacker who, after logging in, can target services on external or internal networks. The server with the vulnerable SAP application then sends arbitrary malicious HTTP requests to relevant hosts. These actions may even be performed using the accounts of legitimate users, if they open an attacker-controlled page after logging into the application. Such an attack could be attempted in combination with Cross-Site Request Forgery (CSRF). The vulnerability is present in EPBC and EPBC2 versions 7.00–7.02 and KMC-BC versions 7.30, 7.31, 7.40, and 7.50.
An Information Disclosure vulnerability (Security Note 2527770, CVSSv3 score 4.3) is found in SAP NetWeaver System Landscape Directory, which acts as a repository of hardware and software information. An attacker could scan ports to obtain sensitive information about the internal network that the server is located on.
SAP has also fixed vulnerabilities CVE-2018-2401 and CVE-2018-2366, which were discovered by the same Positive Technologies team in SAP Business Process Automation (BPA) by Redwood.
Vulnerability CVE-2018-2401 (CVSS v3 score 5.4) was detected in SAP BPA version 9.0. A logged-in user can read arbitrary server files due to flawed processing of user XML documents, which enables XML External Entity (XXE) injection. To exploit the vulnerability, an attacker sends a specially crafted XML document to the server, triggering an error whose text reveals the contents of server files.
The second vulnerability in SAP BPA (CVE-2018-2366, CVSS v3 score 4.3) involves Directory Traversal in versions 9.0 and 9.1. Incorrect server-side parsing of a request string allows an attacker to read local server data, including system files. Use of this method to obtain sensitive user data, such as passwords and configuration files, provides the information needed to bypass protection mechanisms and perform further attacks.
Positive Technologies offers several products to protect SAP solutions from these and similar threats. MaxPatrol SIEM is compatible out-of-the-box with SAP systems running on SAP NetWeaver ABAP/Java. The MaxPatrol vulnerability and compliance management system enables timely identification of vulnerabilities in SAP products, inventory of SAP systems, management of updates, and analysis of settings, configurations, and access privileges. PT Application Firewall uses special security profiles to identify attacks (including zero-day attacks) targeting vulnerabilities in SAP NetWeaver, SAP ICM, SAP Management Console, and SAP SOAP RFC. In addition, PT Application Inspector supports analysis of Java applications for the SAP NetWeaver Java platform.
