HTTP Request Smuggling in SAP Web Dispatcher

Impact On Business

An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read stored credential in plain text, execute RFC function implemented by the targeted system or even create, modify or delete stored connections. As a consequence, the system could be either partial or fully compromise based on the attacker skills and the existing configuration.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

SERVERCORE/CORE-TOOLS/J2EE-FRMW components are a central part of the SAP Netweaver JAVA layer.
As such, every product or solution based on that layer will be affected by this vulnerability.

Some of these products are:

• SAP Enterprise Portal
• SAP Solution Manager
• SAP PI/PO
• SAP Landscape Manager

Vulnerability Details

P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through, the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.

Within that list of services, rfcengine was found. This service implements JCo RFC provider service within JAVA systems. More information here.

All functions implemented inside the corresponding bean were able to be executed without need of prior authentication. Functions like addBundle, removeBundle, changeBundleConfiguration would allow to create new connections, remove or modify them.

Creating a bundle to an attacker controlled server, would give the power to start executing RFC functions directly to the vulnerable system. Furthermore, functions like getConfiguration will retrieve the information already configured inside the system. As part of that configuration, the password in plain text (if configured) will be retrieved and therefore accessed anonymously by any third party able to communicate through P4.

Solution

SAP has released SAP Note 3268093 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3268093

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 10/28/2022: Vulnerability reported to vendor.
• 10/31/2022: Vendor provide incident number.
• 11/17/2022: SAP asked for clarification about CVSS vector.
• 11/18/2022: Onapsis sends justification for each part of the vector that was challenged.
•  01/10/2023: Patch released.

---

REFERENCES

• Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
• CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
• Vendor Patch: https://me.sap.com/notes/3268093/E
• Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
• P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum