SAP Remote Function Call (RFC) Vulnerabilities in 2023
In 2007, Onapsis CEO & Co-founder Mariano Nuñez presented several vulnerabilities and attacks affecting the RFC Protocol at Black Hat Europe. That presentation became a call-to-action for the research community to dedicate time into improving the security of SAP applications and SAP Protocols.
On June 29, 2023–sixteen years later–Fabian Hagg, a security researcher with vast experience in SAP applications, presented at the TROOPERS Conference in Heidelberg, providing details of four vulnerabilities affecting the RFC protocol. He is credited with reporting these vulnerabilities which can be chained and combined by attackers to take over SAP applications running the RFC Protocol.
SAP RFC Vulnerabilities
The presentation by Fabian Hagg incorporated the release of a whitepaper including details of the RFC protocol and some proof of concept code and details for the following vulnerabilities:
- CVE-2023-0014 (SAP Security Note 3089413) – CVSS 9.8
- CVE-2021-27610 (SAP Security Note 3007182) – CVSS 9.8
- CVE-2021-33677 (SAP Security Note 3044754) – CVSS 7.5
- CVE-2021-33684 (SAP Security Note 3032624) – CVSS 5.3
Due to the potential criticality of the disclosed vulnerabilities, unprotected SAP applications could be compromised by remote unauthenticated attackers, with potential to affect the integrity, confidentiality, and availability of these applications. Furthermore, due to the critical nature of SAP applications and its business processes, attackers could engage in performing espionage (accessing business information), sabotage (disrupting business processes) or fraud attacks (modifying business data.)
Resolving These Vulnerabilities
The solution to the different vulnerabilities are diverse and involve patching the SAP Kernel as well as upgrading the SAP_BASIS software component. In some cases, both are required so patching these vulnerabilities requires time and preparation. Some of these patches have been released two years ago and some as recently as several months ago, so it is possible that many organizations have already implemented at least some of the solutions. However, it is important to check your systems against these vulnerabilities to ensure you have both patched and upgraded your software.
I highly encourage your team to evaluate your systems against these vulnerabilities. All existing Onapsis Assess customers have the ability to check if the associated SAP Security Notes are relevant for their systems and whether they have been applied since the notes were published. Additionally, customers with the Threat Intel Center will receive an update with details of this research along with a listing of any system that is still vulnerable.