Arbitrary execution of RFC functions through CCM_AGS_CC_SIM_API_START

Impact On Business

This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service.

Affected Components Description

• This vulnerability applies to systems with Addon ST-PI
• ST-PI 2008_1_700 SP11 – SP31
• ST-PI 2008_1_710 SP11 – SP31
• ST-PI 740 SP01 – SP21

Vulnerability Details

An attacker authenticated as a user with a non-administrative role and a common remote execution authorization(S_RFC) in SAP Solution Manager and ABAP managed systems (ST-PI) – versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface(CCM_AGS_CC_SIM_API_START) to perform actions which they would not normally be permitted to.  Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable.

Solution

SAP has released SAP Note 3296476 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3296476.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 01/24/2023: Onapsis reports vulnerability to SAP
• 03/14/2023: SAP issues the patch.

References

• Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-march-2023/
• CVE Mitre: https://www.cve.org/CVERecord?id=CVE-2023-27893
• Vendor Patch: https://me.sap.com/notes/3296476