SAP Stomps Out Critical RCE Flaw in Manufacturing Software

Cyber Security News

The remote code execution flaw could allow attackers to deploy malware, modify network configurations and view databases.

Enterprise software giant SAP pushed out fixes for a critical-severity vulnerability in its real-time data monitoring software for manufacturing operations. If exploited, the flaw could allow an attacker to access SAP databases, infect end users with malware and modify network configurations.

The critical-bug fix was part of 18 security patches released by SAP addressing new vulnerabilities and updating previously released patches.

The two most critical fixes, which are newly released as part of the security update, included the vulnerability in SAP’s Manufacturing Integration and Intelligence (MII) application for synchronizing manufacturing operations, as well as one in SAP’s NetWeaver AS Java software stack.

“With 18 new and updated SAP Security Notes, SAP’s March Patch Day is slightly below the average amount of patches released in the first two months in 2021,” said researchers with Onapsis in a Wednesday analysis. “With SAP MII, SAP NetWeaver AS Java and SAP HANA, three different applications are affected this time by critical vulnerabilities (HotNews and High Priority).”

SAP MII Security Flaw: Remote Code Execution

The vulnerability in SAP MII (CVE-2021-21480) is a code injection vulnerability, in which code is inserted into the language of a targeted application and executed by the server-side interpreter. The flaw has a CVSS score of 9.9 out of 10. Versions 15.1, 15.2, 15.3 and 15.4 are affected, according to SAP.

SAP MII is a NetWeaver AS Java-based platform, which allows for real-time monitoring of production and data analysis for insights into performance efficiency.

The flaw stems from a component of SAP MII called Self-Service Composition Environment (SSCE), which is utilized to design dashboards for real-time data analysis. These dashboards can be saved as a Java Server Pages (JSP) file. However, an attacker can remotely intercept a JSP request to the server, inject it with malicious code, and then forward it to the server.

“When such an infected dashboard is opened in production by a user having a minimum of authorizations, the malicious content gets executed, leading to remote code execution in the server,” said Onapsis researchers.

That could lead to various malicious attacks, including access to SAP databases and the ability to read, modify or erase records; pivoting to other servers; infecting end users with malware and modifying network configurations to potentially affect internal networks.

Researchers strongly recommends applying the corresponding patch as soon as possible.

“The patch will prevent dashboards from being saved as JSP files,” said Onapsis researchers. “Unfortunately, there is no more flexible solution available. If JSP files are required, customers should restrict access to the SSCE as much as possible and validate any JSP content manually before moving it to production.”

SAP NetWeaver AS Java Flaw

Another serious flaw exists in SAP NetWeaver AS Java, versions 7.10, 7.11, 7.30, 7.31, 7.40 and 7.50. Specifically the MigrationService component is affected in that it lacks authorization checks.

This flaw (CVE-2021-21481) ranks 9.6 on the CVSS scale, making it critical severity.

SAP NetWeaver AS Java is typically used internally for migrating applications between major releases for the AS Java engine.

“The missing authorization check might allow an unauthorized attacker to gain administrative privileges,” said researchers. “This could result in complete compromise of the system’s confidentiality, integrity and availability.”

Other Serious SAP Security Flaws

Beyond these two serious flaws, SAP also fixed an authentication bypass (CVE-2021-21484) in SAP HANA (Version 2.0). It also made updates to two previous security updates – including a missing authentication check in SAP Solution Manager (from a security note released in March 2020) and a security update for Google Chromium (from a security noted released on April 2018). SAP did not give further details on the updates for these security notes.

The fixes come after a February security update by SAP fixing a critical vulnerability in its Commerce platform for e-commerce businesses. If exploited, the flaw could allow for remote code execution that ultimately could compromise or disrupt the application.

The fixes also come during a busy Patch Tuesday week. Microsoft’s regularly scheduled March Patch Tuesday updates addressed 89 security vulnerabilities overall, including 14 critical flaws and 75 important-severity flaws.

Also released on Tuesday were Adobe’s security updates, addressing a cache of critical flaws, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.