Unauthenticated JNDI Injection in SAP Enterprise Portal
Impact On Business
An unauthenticated attacker with access to the HTTP(s) port of a SAP Enterprise Portal, would be able to turn on deployed applications. As a consequence, stopped applications may be turned on which could lead to further severe consequences.
This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum
Affected Components Description
SAP Enterprise Portal (EP) is the Web front-end component for SAP NetWeaver – the comprehensive integration and application platform that facilitates the alignment of people, information, and business processes across organizational and technical boundarie. Based on NetWeaver Java, SAP EP serves as a single point of access to SAP and non-SAP information sources, enterprise applications, information repositories, databases and services, in and outside your organization.
Vulnerability Details
As a solution based on the SAP Java NetWeaver layer, EP exposes several web applications.
This web applications could have a status of “started” or “stopped” depending on its configuration. Certainly, only administrators should be able to turn them on/off trough the NetWeaver Administration (NWA) interface.
Among the applications that are shipped and started by default inside EP, it is possible to find one called “NavigationServlet”. This applications controls and manages the navigation activity inside the Portal and because of its nature, it can be accessed without authentication.
Due to a lack of sanitization, multiple JNDI injection points were found in the implementation of this application. As a consequence, an attacker without credentials could exploit this flaw in order to turn on applications that were deployed but stopped.
Post exploitation techniques could be also leveraged by the attacker by being able to turn on applications that, for instance, may have been turned off because of known vulnerabilities or that they are meant to be turned on only in secure and controlled scenarios.
Solution
SAP has released SAP Note 3289994 which provides patched versions of the affected components.
The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/3289994
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
Report Timeline
- 11/07/2022: Vulnerability reported to vendor.
- 11/09/2022: Vendor provides incident number.
- 11/29/2022: SAP rebuts the originally sent CVSS score of 8.5
- 12/01/2022: Onapsis justifies the chosen CVSS.
- 12/07/2022: SAP asks if the findings was reproducible in the latest Support Package .
- 12/08/2022: Onapsis answers back confirming it works.
- 01/26/2023: Onapsis sent new information about potential new ways of exploitation discovered.
- 02/07/2023: SAP asks some questions about the latest exploits.
- 02/14/2023: Onapsis replies with new PoC’s and answers to SAP’s questions.
- 04/11/2023: Patch released.
REFERENCES
- Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
- CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
- Vendor Patch: https://me.sap.com/notes/3289994/E
- Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
- P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum
Advisory Information
- Public Release Date: 01/10/2024
- Security Advisory ID: ONAPSIS-2023-0003
- Researcher(s): Pablo Artuso
Vulnerability Information
- Vendor: SAP – Affected Components:
- – Java Kernel versions:
- 7.50.3301.472568.20220902101413
- 7.50.3301.467525.20210601093523
- 7.50.3301.407179.20200416085516
- EP-PIN-NAV (com.sap.portal.navigation.afp.AFPEar):
- 7.5025.20220721055514.0000
(Check SAP Note 3252433 for detailed information on affected releases)
- Vulnerability Class:
- CWE-306: Missing Authentication for Critical Function
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
- CVSS v3 score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
- Risk Level: Medium
- Assigned CVE: CVE-2023-28761
- Vendor patch Information: SAP Security NOTE 3289994
ABOUT OUR RESEARCH LABS
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.
Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License