Unauthenticated JNDI Injection in SAP Enterprise Portal

Impact On Business

An unauthenticated attacker with access to the HTTP(s) port of a SAP Enterprise Portal, would be able to turn on deployed applications. As a consequence, stopped applications may be turned on which could lead to further severe consequences.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

SAP Enterprise Portal (EP) is the Web front-end component for SAP NetWeaver – the comprehensive integration and application platform that facilitates the alignment of people, information, and business processes across organizational and technical boundarie. Based on NetWeaver Java, SAP EP serves as a single point of access to SAP and non-SAP information sources, enterprise applications, information repositories, databases and services, in and outside your organization.

Vulnerability Details

As a solution based on the SAP Java NetWeaver layer, EP exposes several web applications.

This web applications could have a status of “started” or “stopped” depending on its configuration. Certainly, only administrators should be able to turn them on/off trough the NetWeaver Administration (NWA) interface.

Among the applications that are shipped and started by default inside EP, it is possible to find one called “NavigationServlet”. This applications controls and manages the navigation activity inside the Portal and because of its nature, it can be accessed without authentication.

Due to a lack of sanitization, multiple JNDI injection points were found in the implementation of this application. As a consequence, an attacker without credentials could exploit this flaw in order to turn on applications that were deployed but stopped.

Post exploitation techniques could be also leveraged by the attacker by being able to turn on applications that, for instance, may have been turned off because of known vulnerabilities or that they are meant to be turned on only in secure and controlled scenarios.

Solution

SAP has released SAP Note 3289994 which provides patched versions of the affected components.

The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/3289994

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 11/07/2022: Vulnerability reported to vendor.
• 11/09/2022: Vendor provides incident number.
• 11/29/2022: SAP rebuts the originally sent CVSS score of 8.5
• 12/01/2022: Onapsis justifies the chosen CVSS.
• 12/07/2022: SAP asks if the findings was reproducible in the latest Support Package .
• 12/08/2022: Onapsis answers back confirming it works.
• 01/26/2023: Onapsis sent new information about potential new ways of exploitation discovered.
• 02/07/2023: SAP asks some questions about the latest exploits.
• 02/14/2023: Onapsis replies with new PoC’s and answers to SAP’s questions.
• 04/11/2023: Patch released.

REFERENCES

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
• CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
• Vendor Patch: https://me.sap.com/notes/3289994/E
• Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
• P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum