Discovering and Patching SAP Vulnerabilities with Onapsis

⇨ Onapsis recently highlighted two significant potential security gaps that organizations should be aware of.

⇨ RFC and ICM vulnerabilities are essential to many SAP solutions, but have gaps in their security that need to be patched.

⇨ Organizations should quickly determine if they are affected and enact necessary fixes.

Cybersecurity remains the top priority for GRC teams in the SAP community. According to SAPinsider’s 2023 GRC State of the Market research report, 50% of survey respondents plan to make significant investments in cybersecurity solutions in 2023. This is the top area of investment planned by a significant margin. Cybersecurity threats are pervasive and constantly evolving. New technologies come with unforeseen vulnerabilities that malicious actors can exploit. This can lead to significant financial and reputational harm that enterprises may take years to recover from.

Fortunately, companies do not have to contend with these vulnerabilities alone. Cybersecurity leader Onapsis recently highlighted two significant potential security gaps that organizations should be aware of, offering potential solutions for how to ensure that these gaps are patched and will no longer be vulnerable to exploitation from malicious actors.

RFC Vulnerabilities

Roll Function Call, or RFC, is a communication protocol that is necessary for each system that relies on the SAP Application Server for ABAP. This makes it a target of significant interest for attackers who aim to target business-critical portions of the SAP landscape.

Onapsis CEO and co-founder Mariano Nuñez is credited with first bringing RFC vulnerabilities to the wider attention of the SAP security and research communities. In 2007, he delivered a talk in at Black Hat Europe in 2007 that highlighted vulnerabilities of the RFC protocol.

Building on the work of Nuñez, security researcher Fabian Hagg recently published a white paper offering details on four potential RFC protocol vulnerabilities. They are:

• CVE-2023-0014 (SAP Security Note 3089413)
• CVE-2021-27610 (SAP Security Note 3007182)
• CVE-2021-33677 (SAP Security Note 3044754)
• CVE-2021-33684 (SAP Security Note 3032624)

These vulnerabilities have CVSS scores ranging from medium to critical. Security teams should evaluate their systems to see if they are at risk. Onapsis recommends that enterprises patch the SAP Kernel and upgrade the SAP_BASIS software component. Organizations can use the Onapsis Assess solution to determine if the associated SAP Security Notes are relevant to their needs and whether they have been applied since the notes were published.

ICM Vulnerabilities

Onapsis wrote a report publicizing vulnerabilities affecting the SAP Internet Communications Manager (ICM). The two new vulnerabilities have high criticality CVSS scores, based on the fact that they open users up to denial of service and theft. Malicious actors are able to get into vulnerable HTTP servers via remote access and without authentication.

Onapsis Research Labs initially reported these vulnerabilities to SAP. They were included in the July 2023 patches released by SAP. Organizations should quickly determine if they are affected and enact necessary fixes, as most SAP products rely on SAP ICM. Fortunately, Onapsis Research Labs said it “has not yet detected active exploitation.”

However, there is a high likelihood of threat activity within the coming days, as this type of elevated activity typically occurs in the week following the release of a patch. Like the RFC communication protocols, ICM is a critical piece of the SAP technology stack, as it connects SAP applications to the internet. It is worth noting that these vulnerabilities affect the HTTP/2 implementation of the ICM, so applications that are not HTTP/2 enabled are not vulnerable to these threats.

For continued updates on how to secure their business-critical SAP applications, GRC teams can visit the Onapsis blog.