SAP Code Injection
Impact on Business
An authenticated attacker can cause a denial-of-service condition for other users, preventing them from accessing the system via the SAP GUI. Additionally, the attacker can modify or delete user-specific favorite nodes, leading to operational disruption and loss of convenience features for the affected business users.
Vulnerability Details
A specific function module in the affected system is designed to launch a web browser with a designated URL on the front end. While a white-list exists to check this URL parameter, an attacker can bypass this security measure to run binaries on client systems. By successfully exploiting this vulnerability, a remote attacker could gain unauthorized access to or modify any business information.
Solution
SAP has addressed this vulnerability by releasing SAP Security Note #2525392, which contains patched versions of the affected components. Onapsis strongly advises SAP customers to download and apply these security fixes immediately to mitigate business risks.
Report Timeline
- 8/16/2017: Onapsis provides vulnerability information to SAP.
- 8/17/2017: SAP confirms reception of the vulnerability report.
- 1/10/2018: SAP releases SAP Security Note #2525392 to fix the vulnerability.
- 5/24/2018: Onapsis releases the official security advisory.
Advisory Information
- Public Release Date: 5/24/2018
- Security Advisory ID: ONAPSIS-2018-016
- Onapsis SVS ID: 00654
- CVE: CVE-2018-2363
- Researcher: Matias Sena
- Vendor Provided CVSS v3: 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L)
- Onapsis CVSS v3: 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
Vulnerability Information
- Vendor: SAP
- Affected Components: SAP Netweaver ABAP 7.4
- Vulnerability Class: CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
Affected Components Description
SAP NetWeaver serves as the technological integration platform for SAP, providing the foundation upon which enterprise and business solutions are developed and executed.
About our Research Labs
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at: https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License