Arbitrary execution of RFC functions through CCM_AGS_CC_SIM_API_START

Impact On Business

This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service.

Affected Components Description

  • This vulnerability applies to systems with Addon ST-PI
  • ST-PI 2008_1_700 SP11 – SP31
  • ST-PI 2008_1_710 SP11 – SP31
  • ST-PI 740 SP01 – SP21

Vulnerability Details

An attacker authenticated as a user with a non-administrative role and a common remote execution authorization(S_RFC) in SAP Solution Manager and ABAP managed systems (ST-PI) – versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface(CCM_AGS_CC_SIM_API_START) to perform actions which they would not normally be permitted to.  Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable.

Solution

SAP has released SAP Note 3296476 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3296476.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

  • 01/24/2023: Onapsis reports vulnerability to SAP
  • 03/14/2023: SAP issues the patch.

References

Back to Advisories

Advisory Information

  • Public Release Date: 09/27/2024
  • Security Advisory ID: ONAPSIS-2024-0026 – Arbitrary execution of RFC functions
  • Researcher(s): Ignacio Oliva

Vulnerability Information

  • Vendor: SAP
  • Affected Components:
    • SAP SOLUTION MANAGER 7.2 SP 13
    • SAP BASIS 7.40, SP 27

(Check SAP Note 3296476 for detailed information on affected releases)

  • Vulnerability Class: CWE-94: Improper Control of Generation of Code (‘Code Injection’)
  • CVSS v3 score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Risk Level: High
  • Assigned CVE: CVE-2023-27893
  • Vendor patch Information: SAP Security NOTE 3296476


ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License