Protect4S SAP Security Research
Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S
In this post, we’ll look at two SAP vulnerabilities, recently discovered by our Protect4S research team. All vulnerabilities were patched earlier this year, considering the grace period of 3 months as requested by SAP.
The vulnerabilities discussed in this article are:
|2021-21482||3017908||8,3||Brute forcing passwords of SAP NetWeaver Master Data Management|
|2021-21483||3017823||8,2||Retrieving plaintext passwords of Wily Introscope admin in the SAP Solution Manager|
The above findings (just by itself or combined with other vulnerabilities) might lead to a full compromise of your SAP systems and its data.
About the affected components
Our research on SAP systems in the past has been focused a lot on the traditional SAP ABAP based systems. Therefore, we wanted to extend our research into some other fields. Because SAP MDM was used by some customers and has a completely different setup, we decided to have a look into SAP MDM.
One of the first things we did (apart from setting up a fully patched MDM Server 7.1) was going through the documentation and like for other SAP products, there was a lot. A first find was easy as one of the SAP guides for MDM stated on the password locking mechanism:
As a general preventive measure against brute forcing accounts, it is common to implement locking mechanisms. To exclude Admin accounts from that mechanism is not a good approach in our view. We see that SAP did that as they want to prevent administrators from being locked out of the system, but it is really not a best practice to exclude your most privileged accounts from these preventive mechanisms as it simply allows you to brute force these accounts over the network.
To demonstrate just how easy that is, we created a practical PoC as shown below in the video:
See this GitHub repository for the script and download a CLIX client from the SAP marketplace as a prerequisite.
A second vulnerability was found in Wily Introscope. While troubleshooting an issue in this Java monitoring component, we found that the user and password were not stored in the SAP Secure store, which is typically the place for SAP to store sensitive data like credentials. We found this password exists in plaintext outside the SAP Secure store and with some further digging, we found that remote enabled function module FM_GET_ISEMS (and also FM_GET_ISEM_BY_ID) retrieve the Wily Introscope Admin user including the plaintext password:
When opening the USERS table, it provides the plaintext user and password:
P.S. These are the default user and default password, but that is another issue…. 😉
SAP MDM is not as widespread as the typical SAP ABAP and JAVA-based solutions, still, we encounter it every now and then with customers. We don’t see SAP MDM involved in internet-facing scenarios so that might lower the risk somewhat. Yet, SAP MDM servers are always connected to the rest of the SAP landscape and one compromised SAP MDM box might provide a way into the rest of your business-critical SAP landscape.
The Wily Introscope credentials in turn can be used to log on to the Wily Introscope control panel and provide access to a wide range of statistics and technical data of all Java stacks in the SAP landscape to facilitate further attacks.
In order to get and stay in a secure state, make sure to include SAP MDM and Wily Introscope into a Vulnerability Management process like you should do for all other SAP components. Make sure to patch these components when SAP Security notes are released for it. Apply SAP Security notes 3017908 and 3017823 to fix these specific vulnerabilities.