A blast from the past
As a result of our SAP research, we published several blogs about SAP Master Data Management in the past few months. This research started years earlier, but never got the full attention it deserved because other priorities took longer than foreseen. While going over the list of findings in SAP MDM from our research, we found some vulnerabilities in this area, already dating back from 2016, that might still be interesting to share and learn from. So, let’s look at some of them:
- SAP MDM plaintext password disclosure in log
One of the oldest findings is a plaintext password disclosure in the SAP MDM logs. If you connect to the SAP MDM repository via the MDM Manager and mistype the password, the wrong password itself is written in the MDM log.
For example in the below logon attempt we use the password “Wrong_password”:
This leads to an entry in the MDS_log like this:
Here, we will show the plaintext password. In this case, it is a completely made-up password. But a real-life scenario would be if users make just one small typo and made it rather easy to figure out the correct password. Especially when using real words. For example, the incorrect password “Welcome_202q” can be easily guessed by using “Welcome_2021”. Since the log with the passwords is in many cases remotely accessible without authentication, this is an interesting vulnerability we believe. As a fix was already released in 2017, we expect this is fixed for most customers. For more details see SAP note 2424742 – Information Disclosure in SAP NetWeaver Master Data Management.
- Unauthenticated SMB relaying in SRM MDM Catalog import
Another vulnerability, dating back to 2018, is an unauthenticated SMB relay vulnerability, so it is only relevant when running SAP MDM on a windows server. This allows an unauthenticated user to force the MDM server to send its OS users’ password hash to a share under your control. It also provides brute force options to retrieve the plaintext password of the OS user. The vulnerability has a CVSS score of 8.6 and was assigned CVE-2018-2449.
To abuse the vulnerability, one could browse to the URL that is available without authentication: http://<host>:<port>/webdynpro/resources/sap.com/tc~mdm~srmcat~import1/SRM_MDM_SM_1# and fill the SMB share name of a share under your control.
This will force the SAP MDM Server to send the password hash to this share so it can be captured, and brute-forced offline to retrieve the plaintext password. A fix is provided in SAP Security note 2655250 – [CVE-2018-2449] Missing Authentication check in SAP SRM MDM Catalog.
As always, patch management is key to stay secure. Make sure to implement proper vulnerability management and patch management processes to address the vulnerabilities mentioned above.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out Protect4S for 1 month for free or request a demo!