Security Advisories

The Onapsis Research Labs delivers regular SAP® and Oracle® vulnerability research to our ecosystem of customers, partners and the information security industry.

Onapsis security advisories enable customers to better understand the security and business implications of discovered SAP and Oracle security issues. This enables organizations to prioritize patches, updates and their remediation strategies to ensure continuity of the business. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the necessary information to mitigate advanced threats to mission-critical applications running on SAP and Oracle.

Critical 06/14/2021 SAP MII

SAP Manufacturing Integration & Intelligence Lack of Server Side Validations

Impact On Business

By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server. Thus, they would be able to do everything a SAP Administrator is able to do. Some possible actions are:

  • Access to the SAP databases and read/modify/erase any record in any table
  • Use these servers to pivot to other servers
  • Place malware to later infect end users
  • Modify network configurations and potentially affect internal networks


Affected Components Description

SAP MII is an SAP NetWeaver AS Java based platform that enables real-time production monitoring and provides extensive data analysis tools. It functions as a data hub between SAP ERP and operational applications such as manufacturing execution systems (MES). The software collects data from production machinery, delivering real-time insights into its performance and efficiency.

 Affected components:

  • XMII 15.1 lower than SP006 PL 000062
  • XMII 15.2 lower than SP003 PL 000038
  • XMII 15.3 lower than SP001 PL 000022
  • XMII 15.4 lower than SP001 PL 000007

(Check SAP Note #3022622 for detailed information on affected releases)


Vulnerability Details

An integral part of SAP MII is the Self-Service Composition Environment (SSCE) that can be used to design dashboards by simple drag and drop.  This dashboard creation functionality applies some client side validations which are then not performed on the back-end. T, this situation could allow an attacker to craft a malicious request with executable code which will be stored on the server. When such an infected dashboard is opened in production by a user having a minimum of authorizations, the malicious content gets executed, leading to remote code execution in the server.

 

Solution

SAP has released SAP Note #3022622 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/2983204.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.


Report Timeline

  • 02/01/2021: Onapsis sends details to SAP
  • 02/04/2021: SAP provides internal ID
  • 02/08/2021: SAP provides update: "In progress"
  • 03/08/2021: SAP provides update: Vulnerability fixed SAP Security note released: 3022622

 


REFERENCES

Advisory Information

  • Public Release Date: 06/14/2021
  • Security Advisory ID: ONAPSIS-2021-0012
  • Vulnerability Submission ID: 872
  • Researcher(s): Nicolas Raus


Vulnerability Information

  • Vendor: SAP
  • Vulnerability Class: |LS|CWE-94|RS| Improper Control of Generation of Code ('Code Injection')
  • CVSS v3 score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Severity: Critical
  • CVE:  CVE-2021-21480
  • Vendor patch Information: SAP Security Note 3022622

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge

and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories


This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Request a Demo from Onapsis

Secure your 
business-critical SAP,
Oracle and SaaS apps

Get a first-hand look at the only platform built for protecting SAP and Oracle applications.

Request a demo