Unauthenticated JNDI Injection in RemoteObjectFactory P4 service

Impact On Business

An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to exploita JNDI injection in order to be able to turn on applications. As a consequence, further attacks could be executed by leveraging flaws or features in the new turned on apps.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

SERVERCORE/CORE-TOOLS/J2EE-FRMW components are a central part of the SAP Netweaver JAVA layer.

As such, every product or solution based on that layer will be affected by this vulnerability.
Some of these products are:

• SAP Enterprise Portal
• SAP Solution Manager
• SAP PI/PO
• SAP Landscape Manager
• etc.

Vulnerability Details

P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through, the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.

Within that list of services, RemoteObjectFactory was found. This service provides a way to execute JNDI lookups. Because of a lack of sanitization, it is possible to provide any arbitrary forged URL that will end up as a parameter for the JNDI lookup. As a consequence, an attacker may be able to exploit it and turn on applications without authentication. These turned on applications may provide extra attack surface and options for possible post-exploitation techniques.

Solution

SAP has released SAP Note 3317453 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3317453

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 02/16/2023: Vulnerability reported to vendor.
• 02/16/2023: Vendor provides incident number.
• 05/09/2023: Patch released.

References

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
• CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
• Vendor Patch: https://me.sap.com/notes/3317453/E
• Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
• P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum