Unauthenticated SQL Injection and DoS in SeachFacade P4 service

Impact On Business

An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read any table from the database, modify sensitive information and/or cause a Denial of Service against the targeted system. As a consequence, sensitive information could be leaked even allowing an anonymous external attacker to escalate their attack from a partial compromise to a full compromise of the system.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

The Process Integration / Process Orchestration is based on the interchanging of PI messages in order to carry out its main tasks. This messaging framework is implemented inside the MESSAGING SYSTEM SERVICE.

Vulnerability Details

P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.

Within that list of services, SearchFacade was found. This service seems to implement functionalities related to indexes and component profiles which were executing actions of modifying, adding and deleting against database tables. The interface that the object implemented was exposing several functions, all accessible without authentication.

By analyzing these exposed functionalities it was possible to find injection points where user controlled data would be appended to SQL statements without prior sanitization. Additionally, another specific function would provide parameters that could make the same specific services to hang, causing a partial DoS.

Solution

SAP has released SAP Note 3273480 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3273480

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

  • 10/28/2022: Vulnerability reported to vendor.
  • 10/31/2022: Vendor provide incident number.
  • 11/03/2022: SAP asked for clarification about CVSS vector.
  • 11/03/2022: Onapsis sends justification for each part of the vector that was challenged.
  • 11/07/2023: SAP asked for clarification about CVSS vector.
  • 11/16/2023: Onapsis replies and sent more justifications about the CVSS.
  • 12/13/2022: Patch released.

REFERENCES

Advisory Information

  • Public Release Date: 10/30/2023
  • Security Advisory ID: ONAPSIS-2023-0004
  • Researcher(s): Pablo Artuso

Vulnerability Information

  • Vendor: SAP
  • Affected Components:
  • Java Kernel versions:
    • 7.50.3301.472568.20220902101413
    • 7.50.3301.467525.20210601093523
    • 7.50.3301.407179.20200416085516
  • MESSAGING
    • 1000.7.50.24.7.20221009183400
    • 1000.7.50.22.0.20210804111800
    • 1000.7.50.2.0.20160125191600

(Check SAP Note 3273480 for detailed information on affected releases)

  • Vulnerability Class:
    • CWE-862: Missing Authorization
    • CWE-306: Missing Authentication for Critical Function
    • CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • CVSS v3 score: 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)
  • Risk Level: Critical
  • Assigned CVE: CVE-2022-41272
  • Vendor patch Information: SAP Security NOTE 3273480

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge

and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.