Authentication Bypass Vulnerability Affecting All SAP Kernel (ABAP) Releases in Maintenance

news vulnerability

On Patch Tuesday June 2021, SAP SE released Security Note 3007182 [1] that addresses a serious design flaw discovered and reported by SEC Consult security researcher Fabian Hagg. CVE-2021-27610 [2] holds a CVSSv3 score of 9.0 and covers an authentication bypass vulnerability in the SAP kernel.

SAP Vulnerability

SAP® NetWeaver Application Server ABAP and its successor ABAP® Platform are the technological foundations of business-critical data processing by various enterprise applications. This includes but is not limited to some of the most popular solutions such as SAP® ERP (ECC), SAP® S/4HANA, SAP® Business Suite or SAP® Solution Manager. Most of these products are used by tens of thousands of customers worldwide.

While the business and industry specific software is implemented in the high-level programming language ABAP, a set of precompiled executables (disp+work, gwrd, icman, etc.) and shared libraries, mainly written in C/C++, are referred to as the fundamental kernel of the application server. Forming the backbone of an SAP system, this core component serves a customizable infrastructure and runtime environment for the business software stack. Different interface components, provided by the kernel, allow for client-to-server and server-to-server communications. In large organizations, IT networks typically contain dozens of distributed SAP solutions that together represent a highly interactive system landscape. Generally, when it comes to interconnectivity in SAP system landscapes, Remote Function Call (RFC) is one of the principal communication protocols used.

The reported flaw was identified in the server-side implementation of the proprietary RFC protocol. Remote attackers capable of crafting special requests may exploit this vulnerability to claim a given identity that causes an authentication bypass in the SAP kernel. In the worst-case scenario, this results in highly privileged system access ultimately giving attackers full control of targeted application servers. As soon as we confirmed this, we contacted the SAP Product Security Response Team. In general, design flaws are often more labor intensive to fix than coding bugs. That's why we would like to underline the professional handling by the security engineers and developers involved in eliminating this vulnerability. The patch is included in new kernel versions delivered via SP Stack Kernel/hotfix and ABAP core corrections. By the release date, we were not able to test the patch.

Given that Security Note 3007182 covers correction instructions for basically all kernel releases in maintenance, we assume that the flaw has been hiding in plain sight for many years. We highly encourage SAP customers and administrators to review and apply the correction instructions even if this requires a temporary downtime of affected servers. We recommend considering Internet-facing instances and systems transmitting data across network trust boundaries as a matter of priority.

If immediate patching is not an option, unfortunately there are no workarounds available. Nevertheless, actions need to be taken to reduce the risk of an attack in that case. We advise to fully enforce cryptographically secure communication channels via Secure Network Communication (SNC) using at least mutual authentication. Furthermore, network-wise access (RFC, HTTP) must be configured as restrictive as possible. That is, we would like to take this opportunity to draw attention to the importance of adhering to general security precautions. For the attack surface that arises with the RFC technology, the Securing Remote Function Calls [4] whitepaper published by SAP in 2014 summarizes further long-term measures to be considered – yet the available patches need to be installed in all cases.

In the course of responsible disclosure, we will not share any technical details about the vulnerability at this moment.

Title Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
Type Authentication Bypass
CVE ID CVE-2021-27610
CVSSv3 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv3 score 9.0
Product SAP NetWeaver Application Server ABAP and ABAP Platform
Versions 700,701,702,731,740,750,751,752,753,754,755,804
Available Patches https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999
  https://launchpad.support.sap.com/#/notes/3007182
Acknowledgement https://wiki.scn.sap.com/wiki/display/PSR/Acknowledgments+to+Security+Researchers