Addressing CISA Binding Operational Directive 22-01 for SAP

Background

On November 3rd, the US Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities. This is a compulsory directive to federal, executive branch, departments, and agencies. It is generally considered minimum best practice for enterprises to also implement CISA recommendations.

The purpose of BOD 22-01 is to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents. These vulnerabilities are considered to pose significant risk to agencies and the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are frequent attack vectors for malicious cyber actors of all types.

CISA has established and will manage a catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise (https://cisa.gov/known-exploited-vulnerabilities). They have further established requirements for agencies to remediate any such vulnerabilities included in the catalog. 

Introduction

This blog post’s main purpose is to help SAP Security administrators better understand how to review their SAP systems in response to CISA BOD 22-01. It details each vulnerability highlighted by CISA’s catalog of known exploited SAP vulnerabilities and provides guidance on the steps needed to check if a system is properly patched against these issues.

CISA’s BOD 22-01 includes the following vulnerabilities affecting SAP systems:

CVEDescriptionSAP NoteDue Date
CVE-2010-5326SAP NetWeaver AS JAVA RCE (Invoker Servlet)144599805/03/2022
CVE-2016-3976​SAP NetWeaver AS Java Directory Traversal Vulnerability223497105/03/2022
CVE-2016-9563​SAP NetWeaver AS JAVA XXE Vulnerability229690905/03/2022
CVE-2018-2380​SAP NetWeaver AS JAVA CRM RCE254743105/03/2022
CVE-2020-6207​SAP Solution Manager (User Experience Monitoring)289021305/03/2022
CVE-2020-6287​SAP NetWeaver AS JAVA (LM Configuration Wizard)293413505/03/2022

According to BOD 22-01, vulnerabilities with a CVE assigned prior to 2021 should be addressed in a window of 6 months from the date of the BOD issuance (i.e., the due date is 3 May 2022). This applies for all SAP related vulnerabilities listed in the catalog.

For all of these issues, SAP has already released security notes addressing these software vulnerabilities. It’s also worth noting that all of the critical SAP vulnerabilities listed in the catalog were identified as being exploited in the wild in the joint report released by Onapsis and SAP from April 2021.

The following section provides guidance and additional information for each CVE that will be useful for security administrators in their review of their systems.

Technical details for BOD 22-01 SAP CVEs

CVE-2010-5326​ – SAP NetWeaver AS JAVA RCE (Invoker Servlet)

SAP Security Note: 1445998 – Disabling invoker servlet

CVE-2010-5326, widely known as the “Invoker Servlet” vulnerability, allows remote unauthenticated attackers to call arbitrary Java servlets without any authentication.

The invoker servlet has been disabled by default since version 7.20 (for specific Support Packages and patch levels please refer to SAP Security Note) and version 7.30 Initial release. For other versions you should disable the invoker servlet changing the value of “EnableInvokerServletGlobally” parameter on all Java server nodes to “false”. For a detailed step by step about how to perform these changes you can refer to SAP Security Note #1445998.

CVE-2016-3976​ – SAP NetWeaver AS Java Directory Traversal Vulnerability

SAP Security Note: 2234971 – Directory traversal in AS Java Monitoring

This vulnerability affects SAP JAVA Netweaver systems. It allows remote unauthenticated attackers to read arbitrary files from the target filesystem. To verify if the system is patched against this vulnerability, you should check if component “J2EE ENGINE LM-CORE” is updated to the versions specified in SAP Security note #2234971.

CVE-2016-9563​ – SAP NetWeaver AS JAVA XXE Vulnerability

SAP Security Note: 2296909 – Denial of service (DOS) vulnerability in BPM

This vulnerability affects the BPM component of SAP JA Netweaver systems. It allows an attacker to perform a denial of service to prevent legitimate users from accessing the service. The attacker needs a valid username in the system to exploit this vulnerability. To verify if the system is patched against this vulnerability, you should check if component “BPEM-PP” is updated to the versions specified in SAP Security note #2296909.

CVE-2018-2380 – SAP NetWeaver AS JAVA CRM RCE

SAP Security Note: 2234971 – Directory traversal in AS Java Monitoring

CVE-2018-2380 is a Directory traversal in Internet Sales Application. It allows the injection of arbitrary content in log files that later can be processed and interpreted by the Application Server, leading to potential Remote Command Execution. To exploit this vulnerability the attacker will need credentials to access the application. 

CVE-2020-6207​ – SAP Solution Manager (User Experience Monitoring)

SAP Security Note: 2890213 – Missing Authentication Check in SAP Solution Manager

SAP Solution Manager (SolMan) User-Experience Monitoring lacks an authentication step and could lead a remote unauthenticated user to gain a total compromise of all SMDAgents that have been connected to SolMan. To verify if the system is patched against this vulnerability, you should check if component “LM-SERVICE” is updated to the versions specified in SAP Security note #2890213.

CVE-2020-6287​​ – SAP NetWeaver AS JAVA (LM Configuration Wizard)

SAP Security Note: 2934135 – Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)

SAP Solution Manager (SolMan) User-Experience Monitoring lacks an authorization step and could lead a user with no authorizations to a total compromise of all SMDAgents that have been connected to SolMan. To verify if the system is patched against this vulnerability, you should check if component “LM-SERVICE” is updated to the versions specified in SAP Security note #2934135.

Onapsis CEO Mariano Nunez weighs in on Binding Operational Directive 22-01 which recommends urgent and prioritized remediation of the vulnerabilities for business-critical applications that threat actors are actively exploiting.