Since a few months ago, some Very High CVEs have been coming for the embedded Chromium web browser control within SAP Business Client. OSS Note 2622660 shows an overview of these with CVSS Base scores ranging from 8.8 to 9.6.
Thirteen of these vulnerabilities were zero-days:
- CVE-2021-21148 – Heap buffer overflow in V8
- CVE-2021-21166 – Object recycle issue in audio
- CVE-2021-21193 – Use-after-free in Blink
- CVE-2021-21206 – Use-after-free in Blink
- CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 – Type confusion in V8
- CVE-2021-30551 – Type confusion in V8
- CVE-2021-30554 – Use-after-free in WebGL
- CVE-2021-30563 – Type confusion in V8
- CVE-2021-30632 – Out of bounds write in V8
- CVE-2021-30633 – Use-after-free in Indexed DB API
- CVE-2021-37973 – Use-after-free in Portals
As stated in SAP Help, “the Chromium web browser control does not have any direct relation or dependencies to Google’s Chrome Browser. SAP delivers the whole browser which consists of some rendering libraries and a web browser control on top. This allows you to use the Chromium web browser control within SAP Business Client without installing Chrome on your local machine. Instead of relying on settings and security concepts of an existing browser, SAP Business Client offers additional settings and mechanisms to increase the security level of the embedded web browser control.”
Exploitation
SAP’s September patches included CVE-2021-30554 (a zero-day vulnerability) which has a known exploit.
When the SAP Business client is not patched, a user could be tricked into clicking on a crafted URL which allows a remote attacker to potentially exploit heap corruption and gain control over the user’s system, thereby opening up this system for further exploits, like malware, ransomware, root-kits etc.
Security controls
As stated in OSS Note 2928874, “SAP Business Client 7.70 per default uses the Microsoft Internet Explorer WebBrowser Control to integrate applications which are not based on the SAP GUI for Windows”, however using the Personalize dialogue of SAP Business Client, the browser control used for rendering can be changed.
A problem of the Chromium web browser control is, that the version shipped with the Business client does not have the Sandbox functionality which prevents arbitrary run code from doing damage to the system.
In addition, certain security-related controls need to be supplied, such as a whitelist and several security-related parameters. See the SAP Help page for this.
Update frequency
The Chromium web browser control has quite a version history, but SAP brings out monthly updates for the browser control Google Chromium delivered as part of the SAP Business Client.
The problem here is that the monthly frequency of updates is a bit high for a business environment, much higher than the SAPGUI client, for example.
In larger companies, new software must be tested and packaged first before it can be distributed company-wide. Depending on the company patch processes, this may take longer than a month.
The roll-out package should involve specific security settings (whitelist & security parameters) to minimize the risk of exploitation.
Delays in patching (“patch-gapping”) may cause increased risks of exposure.
References
2928874 – SAP Business Client 7.70: Prerequisites and restrictions
SAP Business Client (SAP Help)
Protect4S
To keep SAP systems safe, SAP Customers need a Vulnerability Management process. Protect4S offers an automated SAP Vulnerability Management Solution that can execute thousands of security checks in complex and large SAP environments, present the findings in a clear manner and offer mitigation and remediation advice based on SAP’s own Best Practices.
Protect4S offers a free trial so you can experience how much easier SAP Platform Security becomes with Protect4S and how easy it is to start up and work with it.
Give us a try!
