The short answer is: Yes.
In most cases SAP Security Notes contain fixes for vulnerabilities. By analysing such a fix, it is possible to discover the specific related vulnerability. And by examination of the vulnerability, it becomes possible to create an exploit for it. Within the software industry, this is an unfortunate fact of life. By bringing out a fix for an explicit vulnerability in your software, anyone can analyse the fix and subsequently exploit the vulnerability.
This implies that SAP customers should apply security fixes as fast as possible to minimise the risk of exploitation.
Example
Let’s illustrate this with an example. The following URL provides you with an over view of SAP Security Notes:
https://launchpad.support.sap.com/#/securitynotes (OSS User ID is needed for access).
To see all available SAP Security Notes, select this option at the top left of the page:
Select all SAP security notes
Finding a vulnerability
To search in the resulting list, you can use the Knowledge search at the top of the page and enter the following search term: SQL injection
As a result, multiple SQL injection vulnerabilities are listed. On the first page, the following SAP Security Note is listed:
2453642 – SQL Injection vulnerability in SAP NetWeaver
Open this OSS Note and scroll down to the Correction Instructions and open the corrections from a BW version of your choice, for example SAP_BW 740 – 740:
Finding the vulnerable function and version validity
The line containing the Release keyword shows you for which component versions this OSS Note is applicable. In this case SAPKW74017 is mentioned, so this fix is present in support package 18 of component SAP_BW for version 740. In all unpatched versions having a lower support package version, this specific vulnerability is present.
Looking at the source code of the correction instruction, the vulnerability appears present in function RSQVT_DO_COUNT_RFC. Further examination shows that in the fix, a check has been inserted to prevent remote execution of this unction module by unauthorised callers:
Inspecting the actual fix
The conclusion is that this function allows for arbitrary SQL to be executed remotely (or via an RFC destination with a filled-in UserID & password), and after testing we found that this is indeed the case.
Exploitation methods
An efficient exploit of this vulnerability is privilege exploitation via SQL injection of function parameters:
- creating a new SAP user (remotely) and supplying it with SAP_ALL authorisation
- supplying a super user as reference-user for an existing user in a (remote) SAP system
The function RSQVT_DO_COUNT_RFC can be executed remotely via any existing RFC destination that contains a valid SAP user ID and password. This may lead to complete system ownership. Strangely enough, SAP has marked this vulnerability with a CVSS score of only 4,7 (which corresponds with a Low Risk vulnerability), while in fact it should have been much higher.
Risk Window
After a new SAP Security Note has been published, there is a period with increased risk of exploitation due to reverse engineering that lasts until the note has been applied:
SAP OSS Note Risk Window
Patch your SAP systems the easy way
The only remedy against exploits like these is to patch your SAP systems and apply the security notes as soon as possible.
Our product Protect4S can apply up to 70% of SAP Security Notes fully automated (real patching), month after month, saving real money while keeping SAP systems safe.
Stay in control
Get our SAP Solution Manager AddOn Protect4S and stay in control of the risks from vulnerabilities inside your SAP infrastructure.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!
