SAP Security Patch Day February 2022: Severe HTTP Smuggling Vulnerabilities in SAP NetWeaver

SAP Security Notes Blog

Highlights of February SAP Security Notes analysis include:

  • February Summary – 22 new and updated SAP security patches released, including eight HotNews Notes and three High Priority Notes. 
  • New CISA Alert – The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) have listed three new vulnerabilities affecting almost every SAP customer
  • Onapsis Research Labs Collaboration – Close partnership with SAP to report the new critical vulnerabilities and provide the technical details and support mitigation

SAP has published 22 new and updated Security Notes on its February Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes eight HotNews Notes and three High Priority Notes. 

SAP’s February Patch Tuesday brings new extremely critical vulnerabilities in all SAP applications that are based on SAP NetWeaver. They allow an unauthenticated attacker to remotely access an affected SAP application and gain full control of the system.

The details of these critical vulnerabilities will be discussed later in this post. Let’s first focus on the high number of released HotNews notes.

Most of the February HotNews notes are only updates or they close the “Log4j gap” found in additional SAP applications. Although these vulnerabilities were previously found, the corresponding patch wasn’t provided until SAP’s January’s Patch Day.

SAP Security Notes #3130920 and #3142773 patch the Log4j vulnerability in SAP Data Intelligence and SAP Commerce. SAP Security Note #3132922 is an update of a Log4j patch for SAP Internet of Things Edge Platform that now includes version 2.17.1 of the log4j library and thus, also now covers CVE-2021-44832.

SAP HotNews Note #3133772 is also related to Log4j and contains a minor textual update:  CVE-2021-44228 was missing in the “Symptom” section of the note. The central Log4j SAP Security Note #3131047 was updated accordingly. Of course, all of these notes are tagged with a CVSS of 10.

HotNews Note #2622660 is the continuously recurring SAP Security Note for SAP Business Client that provides a patch that contains the latest tested Chromium release 97.0.4692.99. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 91 Chromium fixes and it states a maximum CVSS score of 8.8 for the patched vulnerabilities. This is a surprisingly low value considering that three Priority Critical and 47 Priority High issues were resolved since the last supported Chromium release. (The last two numbers only reflect vulnerabilities that were reported externally, as Google doesn’t provide information about internally detected issues.)

 

Onapsis Research Labs Detect Three Severe HTTP Smuggling Vulnerabilities in SAP NetWeaver

HTTP Request Smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. There can be different root causes for allowing such attacks:

In September 2021, SAP patched an HTTP Smuggling vulnerability (CVE-2021-3816) in collaboration with the Onapsis Research Labs. This vulnerability is due to the fact that, under certain circumstances, the SAP Web Dispatcher and the SAP back-end systems did not use the same method to interpret the length of an HTTP message. An attacker could send messages using both methods and provide different conflicting information. As a result, the back-end systems were not able to clearly identify and separate each individual message. This could be leveraged by an attacker in order to gain control of requests issued by other users, and even obtain sensitive information by retrieving the victim’s requests and responses.

The newly detected vulnerabilities are all caused by incorrect memory handling mechanisms in SAP Internet Communication Manager (ICM) component, vulnerabilities which we have collectively dubbed “ICMAD,” (Internet Communication Manager Advanced Desync) when processing HTTP(S) requests.

The most critical ICM vulnerability is patched with SAP Security Note #3123396, tagged with the maximum CVSS score of 10. Affected applications are:

  • SAP NetWeaver AS ABAP
  • ABAP Platform
  • SAP NetWeaver AS Java
  • SAP Content Server 7.53
  • SAP Web Dispatcher

Only scenarios where an HTTP client directly accesses an SAP application server (without passing through an HTTP gateway like SAP Web Dispatcher or a third-party load balancer or reverse proxy) are not affected — a very unlikely scenario.

The vulnerability enables unauthenticated attackers to prepend a victim’s request with arbitrary data and thus, execute functions impersonating the victim or poisoning intermediary web caches. The Onapsis Research Labs were able to validate that attackers can reliably exploit the vulnerability.

While an exploit of CVE-2021-3816 requires multiple interactions between the attacker and the vulnerable component, the situation with the newly detected vulnerability is different. This is  because an attacker only needs a single request to exploit it, making this attack much simpler.

Another two ICM vulnerabilities were patched by SAP in close partnership with Onapsis with SAP Security Note #3123427, tagged with CVSS scores of 8.1 and 7.5 — both exploitable by an unauthenticated remote attacker. However, they only affect SAP applications running on SAP NetWeaver AS Java. 

The first one allows attackers to send crafted HTTP requests that lead to improper shared memory buffer handling. Depending on a victim’s authorizations, this could lead to a complete system takeover through impersonating the victim or stealing the victim’s logon session.

The second vulnerability can cause a Denial-of-Service situation as memory buffers are not completely released again for new HTTP requests in certain error situations. An attacker could provoke multiple errors to block more and more memory, making it unavailable for regular user requests.

It is important to note that the CVSS score of 8.1, assigned to the first vulnerability of the two, is only due to a higher complexity of possible exploits and the fact that the scope of an attack remains unchanged. The impact on the confidentiality, integrity, and availability of the affected application is the same as for the CVSS 10 vulnerability fixed with SAP Security Note #3123396.  

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a Current Activity Alert relating to these vulnerabilities. CISA, SAP, and Onapsis strongly advise that all impacted organizations should apply these security notes as soon as possible, prioritizing those affected systems exposed to untrusted networks, such as the Internet.

For a deeper dive into these critical vulnerabilities by the Onapsis Research Labs, download our threat report.

More Critical SAP Security Notes in February

SAP Security Note #3140940, tagged with a CVSS score of 9.1, completes the set of the February HotNews notes. The note patches a Segregation of Duties (SoD) vulnerability in SAP Solution Manager Diagnostics Root Cause Analysis. It allows an attacker to browse files and to execute code on all connected Diagnostics Agents over the network. The attacker can completely compromise confidentiality, integrity, and availability of the system. The only thing that prevents it from being tagged with a CVSS score of 10 is the fact that a successful exploit requires admin privileges. 

SAP Security Note #3112928, tagged with a CVSS score of 8.7, was initially released on SAP’s January Patch Day and fixes two vulnerabilities in the Create Single Payment application of SAP S/4HANA. The note was updated with some minor textual changes in the “Solution” section.

SAP Security Note #3140587 is tagged with a CVSS score of 7.1 and patches an SQL Injection vulnerability in SAP NetWeaver AS ABAP(Workplace Server). The WHERE condition of an SQL statement was dynamically set up allowing an attacker to execute crafted database queries. Fortunately, only a SELECT statement was affected so that attackers were not able to modify any data.

Summary and Conclusions

While a lot of SAP customers might still be busy patching all SAP applications affected by Log4j, SAP’s February Patch Day comes with a new set of very critical vulnerabilities. This demonstrates that the need for patching will never stop for SAP customers. We are proud to have worked in close partnership with SAP’s Product Security Response Team to identify, assess, and mitigate the latest critical vulnerabilities.

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.

ICMAD Resources