SAP Manufacturing Integration & Intelligence Lack of Server Side Validations

Impact On Business

By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server. Thus, they would be able to do everything a SAP Administrator is able to do. Some possible actions are:

  • Access to the SAP databases and read/modify/erase any record in any table
  • Use these servers to pivot to other servers
  • Place malware to later infect end users
  • Modify network configurations and potentially affect internal networks

Affected Components Description

SAP MII is an SAP NetWeaver AS Java based platform that enables real-time production monitoring and provides extensive data analysis tools. It functions as a data hub between SAP ERP and operational applications such as manufacturing execution systems (MES). The software collects data from production machinery, delivering real-time insights into its performance and efficiency.

Affected components:

  • XMII 15.1 lower than SP006 PL 000062
  • XMII 15.2 lower than SP003 PL 000038
  • XMII 15.3 lower than SP001 PL 000022
  • XMII 15.4 lower than SP001 PL 000007

(Check SAP Note #3022622 for detailed information on affected releases)

Vulnerability Details

An integral part of SAP MII is the Self-Service Composition Environment (SSCE) that can be used to design dashboards by simple drag and drop.  This dashboard creation functionality applies some client side validations which are then not performed on the back-end. T, this situation could allow an attacker to craft a malicious request with executable code which will be stored on the server. When such an infected dashboard is opened in production by a user having a minimum of authorizations, the malicious content gets executed, leading to remote code execution in the server.

Solution

SAP has released SAP Note #3022622 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/2983204.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

  • 02/01/2021: Onapsis sends details to SAP
  • 02/04/2021: SAP provides internal ID
  • 02/08/2021: SAP provides update: “In progress”
  • 03/08/2021: SAP provides update: Vulnerability fixed SAP Security note released: 3022622

REFERENCES

Advisory Information

  • Public Release Date: 06/14/2021
  • Security Advisory ID: ONAPSIS-2021-0012
  • Vulnerability Submission ID: 872
  • Researcher(s): Nicolas Raus

Vulnerability Information

  • Vendor: SAP
  • Vulnerability Class: |LS|CWE-94|RS| Improper Control of Generation of Code (‘Code Injection’)
  • CVSS v3 score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Severity: Critical
  • CVE:  CVE-2021-21480
  • Vendor patch Information: SAP Security Note 3022622

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge

and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.