Server-Side Request Forgery in SAP NetWeaver, ABAP Platform and SAP Host Agent

Impact On Business

A successful attack can lead to discovering internal SAP open port information that normally is not reachable.

Affected Components Description

SAP NetWeaver Application Server for ABAP provides both the runtime environment and the development environment for all ABAP programs.

The SAP Host Agent can accomplish several life-cycle tasks like : operating system monitoring, database monitoring, system instance control or upgrade preparation. Installed automatically during the installation of the new SAP system, it’s an OS independent and mandatory application.

Vulnerability Details

The webservice GetSecNetworkId exposed by the binary sapstartsrv of SAP kernel contains a simple Server Side Request Forgery (SSRF) if the <challenge> parameter is not provided during the request. It allows an unauthenticated attacker to retrieve information from the internal network by studying different error messages as well as check if the target system can reach the outside host.

Solution

SAP has released SAP Note 3194674 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3194674.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 01/28/2022: Onapsis sends details to SAP
• 04/12/2022: SAP Provides update: In progress
• 05/10/2022: SAP Provides update: In progress
• 06/14/2022: SAP releases SAP Note fixing the issue.

References

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-may-2022-spring4shell-vulnerabi lity-has-been-patched-six-sap-applications
• CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29612
• Vendor Patch: https://launchpad.support.sap.com/#/notes/3194674