Software giant SAP has released June 2021 Security Patch Day that includes 20 separate security advisories and patches. One of the patches fixes a Critical vulnerability in SAP NetWeaver AS ABAP and ABAP Platform.
The SAP updates include two ‘Hot News Notes’ and four ‘High Priority Notes.’
One of the HotNews Notes addressed an Improper Authentication vulnerability CVE-2021-27610 in the SAP NetWeaver AS ABAP and ABAP Platform.
According to Onapsis, an ABAP server could not always correctly identify whether RFC or HTTP communications between the app servers were from the same SAP server or from other systems.
“This enabled a malicious user to abuse stolen credentials from an internal communication between two servers of the same system for external RFC or HTTP calls. The credential data could be used to establish an own connection between a malicious external program and the affected SAP system pretending to be an internal caller,” Thomas Fritsch of Onapsis wrote in a blog post.
The break down of the six Critical or High rated advisories include:
CVE Title | Priority | CVSS |
1) Update to Security Note Released on April 2021 Patch Day: CVE-2021-27602: Remote Code Execution vulnerability in Source Rules of SAP Commerce | Hot News | 9.9 |
2) CVE-2021-27610: Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform | Hot News | 9 |
3) CVE-2021-27635: Missing XML Validation in SAP NetWeaver AS for JAVA | High | 8.7 |
4) CVE-2021-27606, CVE-2021-27629, CVE-2021-27630, CVE-2021-27631, CVE-2021-27632: Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | High | 7.5 |
5) CVE-2021-27597, CVE-2021-27633, CVE-2021-27634: Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | High | 7.5 |
6) CVE-2021-27607, CVE-2021-27628: Memory Corruption vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | High | 7.5 |
Moreover, SAP also addressed multiple other Medium severity vulnerabilities.
Previous SAP cyberattacks
Readers may recall recent warnings by Onapsis of cyberattacks against vulnerable SAP systems earlier this year.
One of those exploited vulnerabilities dubbed RECON (CVE-2020-6287) was previously patched in July 2020 and affected SAP NetWeaver AS for Java component, which missed an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.
Onapsis also released key findings on SAP cyberthreats to be aware of:
- Threat actors are “active, capable and widespread” (e.g., evidence of more than 300 automated exploitations that leverage seven SAP-specific attack vectors and more than 100 hands-on-keyboard sessions).
- Window to patch is small (e.g., actors weaponize critical SAP vulnerabilities in 72 hours and can compromise newly provisioned, unprotected SAP apps in cloud (IaaS) environments in less than 3 hours).
- Exploitation can lead to full control of unsecured SAP applications and lead to severe security and compliance impact.