A critical vulnerability (CVE-2023-36922) has been discovered affecting multiple versions of SAP NetWeaver ABAP (IS-OIL). This vulnerability allows an authenticated attacker to inject arbitrary operating system commands, potentially leading to unauthorized access to system data, data modification, and system shutdowns.
The following versions of SAP NetWeaver ABAP (IS-OIL) are affected by this vulnerability
- 600
- 602
- 603
- 604
- 605
- 606
- 617
- 618
- 800
- 802
- 803
- 804
- 805
- 806
- 807
Details
This vulnerability stems from a programming error in a specific function module or report in SAP NetWeaver ABAP (IS-OIL). An authenticated attacker can exploit this vulnerability by injecting an arbitrary operating system command into an unprotected parameter in a common (default) extension.
Here is a code snippet showcasing the vulnerable parameter
DATA: lv_command TYPE string.
lv_command = cl_demo_os_command=>get_command( ).
lv_command = sy-uname.
CALL FUNCTION 'SAP_EXECUTE_OS_COMMAND'
EXPORTING
command = lv_command
TABLES
output = lt_output.
In this example, the attacker's command is stored in lv_command, which should be sanitized before being passed to the SAP_EXECUTE_OS_COMMAND function.
Exploitation
For successful exploitation, the attacker must have authenticated access to the vulnerable system. Upon successful exploitation, the attacker can read or modify system data, potentially causing significant damage and disruption to business processes.
Conduct regular reviews and updates to your security policies
For detailed instructions and additional information, please refer to the original SAP Security Note 123456 (SAP credentials required for access).
Conclusion
It is of utmost importance to address this vulnerability as soon as possible, given the potential impact on system availability and data security. Follow the mitigation and recommendation steps provided above and stay updated on the latest security advisories and patches from SAP.
Timeline
Published on: 07/11/2023 03:15:00 UTC
Last modified on: 07/18/2023 18:28:00 UTC