SAP Host Agent – Credential Exposure Through Log Files

Impact On Business

By exploiting this vulnerability a malicious low-privileged user can retrieve SDA credential (sapadm) as well as few technical SAP Netweaver credentials (like FRN_DPC_SID or FRN_CSA_SID), then used them to login into the SAP Netweaver or into the SDA and perform malicious or sensitive actions.

Affected Components Description

The SAP Host Agent can accomplish several life-cycle tasks like : operating system monitoring, database monitoring, system instance control or upgrade preparation. Installed automatically during the installation of the new SAP system, it’s an OS independent and mandatory application.

Vulnerability Details

If the trace level of Host Agent is set to 3, all the headers from HTTP requests are stored into /usr/sap/hostctrl/work/sapstartsrv.log including Authorization: header. The vulnerability exists in both http (1128) or https (1129) ports. The log file is readable by any user in the OS sapsys group.

Solution

SAP has released SAP Note 3158188 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3158188.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 01/28/2022: Onapsis sends details to SAP
• 04/12/2022: SAP Provides update: In progress
• 05/10/2022: SAP releases SAP Note fixing the issue.

References

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-may-2022-spring4shell-vulnerabi lity-has-been-patched-six-sap-applications
• CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28774
• Vendor Patch: https://launchpad.support.sap.com/#/notes/3158188