SAP has issued 19 new and updated security patches, three of which are considered “HotNews” important and six considered high-priority. The system assigns a severity rating to major vulnerabilities called “HotNews.” Two of this month’s sizzlers, SAP Business One and SAP NetWeaver Development Infrastructure, have a CVSS score of 9.9.
What does SAP stand for?
SAP or Systems Applications and Products assist in the administration of important business activities such as enterprise resource planning (ERP), product lifecycle management (PLM), customer relationship management (CRM), and supply chain management.
The three critical security bugs
CVE-2021-33698, an unrestricted file-upload vulnerability affecting SAP Business One, the German company’s business management software for small and medium-sized businesses, is one of the 9.9ers.
The flaw allows an attacker to upload files to the server, including malicious programs.
The only reason it didn’t get the top CVSS grade of 10 is that it requires a small number of authorizations, according to Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis.
Fritsch wrote in his patch Tuesday post that there is a workaround for clients who can’t apply the necessary hotfix right away: “Simply deactivate the affected functionality,” he advised. But, of course, that’s only a temporary solution. SAP always emphasizes that the workaround should only be used as a temporary remedy and not as a long-term solution.
The second serious security flaw, CVE-2021-33690, affects SAP NetWeaver Development Infrastructure (SAP NWDI) in a servlet of the Component Build Service and is defined as a server-side request forgery (SSRF).
The servlet was exposed to the outside web, “allowing attackers to perform proxy attacks by sending crafted queries,” according to Onapsis. According to Fritsch, the system cautioned that the severity of the problem varies on whether customers are using NWDI on the intranet or the internet.
It’s bad news for anyone who uses it over the internet, according to SAP, because it “could completely compromise sensitive data residing on the server, and impact its availability,” according to the company’s note.
The third HotNews weakness, CVE-2021-33701, is a SQL injection in the SAP NZDT (Near Zero Downtime Technology) service, which S/4HANA and the DMIS mobile plug-in use. It has a severity level of 9.1 on the CVSS scale.
Fritsch explained that:
“The tool is used by SAP’s corresponding NZDT service for time-optimized system upgrades and system conversions. When using the NZDT service, the maintenance is performed on a clone of the production system. All changes are recorded and transferred to the clone after the maintenance tasks are completed. During the final downtime, only a few activities are executed, including a switch of the production to the new system (clone).”
Customers that have triggered the Unified Connectivity (UCON) runtime check can apply the following workaround: Don’t assign the used remote-enabled function module to any communication assembly in UCON.
The four high-severity bugs
Onapsis recognized Yvan Genuer of the Onapsis Research Labs for working with SAP to fix four vulnerabilities in the SAP Enterprise Portal.
One of them was CVE-2021-33702, a CVSS 8.3 cross-site scripting (XSS) vulnerability in the system NetWeaver Enterprise Portal caused by one of the portal’s servlets. It involves a lack of sanitization that allows for the injection of JavaScript into the corresponding web page: an issue that might lead to a victim visiting an infected servlet and triggering the execution of a vulnerable script in their browser. The impact is significant, but successful exploitation would be “highly complex” and require user interaction, according to Fritsch, which are both conditions that resulted in a lower CVSS score.
A second XSS vulnerability, CVE-2021-33703, was discovered in another servlet of SAP NetWeaver Enterprise Portal and rated CVSS 8.3 in the quartet of high-severity patches.
CVE-2021-33705 is the third high-priority patch. This one addresses a server-side request forgery (SSRF) flaw in one of SAP NetWeaver Enterprise Portal’s design-time components, which would allow an unauthenticated attacker to craft a malicious URL capable of sending any request, POST or GET, for example, to any internal or external server if a user clicked on it.
CVE-2021-33707, the fourth hole that Onapsis worked with the software to close, was assigned a CVSS score of 6.1. A URL-redirection bug in SAP Knowledge Management allows remote attackers to “redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component.” Fritsch described a scenario in which attackers would be able “to compromise the user’s confidentiality and integrity.”
Other critical flaws addressed on Tuesday included an authentication issue affecting software systems accessed via a Web Dispatcher, a task hijacking issue in the Fiori Client mobile app for Android, and a missing authentication weakness in SAP Business One.
“The calm before the storm”
Fritsch dubbed last month’s light SAP Patch Tuesday the “calm before the storm” given the nine critical patches. In fact, he claimed that Tuesday’s flood of new patches earned August the dubious distinction of being “the most noteworthy SAP Patch Day this year” for customers.
“The small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021 is now extended with SAP Business One and SAP NetWeaver Development Infrastructure,” he said.
“The small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021 is now extended with SAP Business One and SAP NetWeaver Development Infrastructure,” he said.
He issued a warning to SAP Enterprise Portal customers, particularly quoting the four patches released for the app, three of which were rated as a high priority.
Vulnerabilities weaponized in less than 72 hours
The report warned that “threat actors are active, capable, and widespread,” providing evidence of more than 300 automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a diverse set of threat actors. In addition, the companies discovered “clear evidence of sophisticated domain knowledge, including the implementation of SAP patches post-compromise.”
According to Onapsis and SAP, adversaries were carrying out various attacks, including data theft, financial fraud, interruption of mission-critical business operations and other operational disruptions, and the distribution of ransomware and other malware.
