SAP security updates in March and missing authorization vulnerabilities
SAP has released monthly critical patch update for March 2012. This patch update closes numerous vulnerabilities in SAP products. Overall, more than 40 vulnerabilities were fixed, including 7 found by third-party researchers. Also, this month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.
I would like to tell you more about the corrected vulnerabilities and the risks that they involve.
- (1607850) SAP BW – critical information disclosure. No details are available. Criticality, according to CVSS, is 7.5.
- (1580244) SAP BASIS – missing authorization check in an RFC function. Criticality, according to CVSS, is 3.5.
- (1656549) SAP Portal – XSS vulnerability. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Criticality, according to CVSS, is 4.3.
- (1657891) SAP BASIS – missing authorization checks in RFC function. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.
- (1591427) SAP BASIS – XSS vulnerability. Criticality, according to CVSS, is 4.3.
- (1658947) SAP Portal – information disclosure. Criticality, according to CVSS, is 4.0.
- (1600755) SAP HR – ABAP code injection through missing input validity checks. Criticality, according to CVSS, is 6.0.
Today I will tell you about one of the most popular vulnerabilities, namely the missing authorization checks in RFC functions.
Overall, it is one of the most popular and most easily understandable types of vulnerabilities. Think about some RFC function which fulfills some critical action in the system; call it, for example, Z_RFCEXPLOIT (actually, the same applies to reports and transactions). The vulnerability is in the missing user authorization check (AUTHORITY-CHECK) in its code. In practice, it means that the Z_RFCEXPLOIT function can be called by any user, provided that he or she has sufficient privileges to call RFC functions at all.
There are 3 basic ways to call an RFC function.
- In the dialog mode, using the SE37 transaction. Privileged users usually have the rights for this kind of transaction though exceptions certainly exist.
- Through remote call by RFC protocol. In this case, apart from authorization check for RFC function per se, system also checks that user has the right to access the RFC functions group (S_RFC authorization, FUGR field). This mitigates the risk of attack, but the risk remains in the case of high privileged accounts with default passwords, like SAP*, DDIC, EARLYWATCH, TMSADM or SAPCPIC. It is notable that the last two accounts are found in % 95 of the systems we analyze, so the chances of attack are pretty high.
- Though remote call by WEBRFC. It is commonly known that RFC commands can be called remotely through web interface located on the web port of SAP NetWeaver ABAP application server (relative address: /sap/bc/soap/rfc). What is specific about this method is that, first, in many organizations web interface is accessible through the Internet, and second, group authorization is not checked when calling an RFC function through this interface, which allows any user to make vulnerable RFC calls.
Thus, vulnerabilities connected with missing authorization should not be underestimated because they are easily exploited and do not require special privileges in the system. Taking into account that there are about 2 million RFC functions in SAP, such vulnerabilities will constantly reappear in SAP products, as well as in self-developed code whose security should be thoroughly cared about.
PS: According to ERPScan’s agreement with SAP we do not publish details of vulnerabilities until 3 months since update is released to give organizations time to install the patch.