Unauthenticated read of OS files and DoS in locking P4 service

Impact On Business

An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read any OS file and/or make the system completely hang by asking applications locks. As a consequence, the system’s availability could be totally compromised as users won’t be able to use applications. In addition, by being able to read OS files, anonymous attackers may be able to read sensitive information potentially allowing them to fully compromise the system.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

SERVERCORE/CORE-TOOLS/J2EE-FRMW components are a central part of the SAP Netweaver JAVA layer.

As such, every product or solution based on that layer will be affected by this vulnerability.

Some of these products are:

• SAP Enterprise Portal
• SAP Solution Manager
• SAP PI/PO
• SAP Landscape Manager

Vulnerability Details

P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this

protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through, the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.

Within that list of services, **locking** was found. This service implements the management of application locks. As all functions exposed by this object were not enforcing authentication nor authorization, any anonymous attacker could ask for locks and never release them leading to a DoS.

Furthermore, a specific functionality which allowed to read the content of a file was not successfully implementing sanitization of a user-controlled input leading to an arbitrary read of OS files. As a consequence, an anonymous attacker would be able to exfiltrate sensitive data or read specific files that would let them escalate privileges and get unauthorized but privileged access to the system.

Solution

SAP has released SAP Note 3252433 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3252433

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 10/28/2022: Vulnerability reported to vendor.
• 10/31/2022: Vendor provide incident number.
•  03/14/2023: Patch released.

---

REFERENCES

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
• CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
• Vendor Patch: https://me.sap.com/notes/3252433/E
• Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
• P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum