Almost all SAP Netweaver versions natively support SMTP (Simple Mail Transfer Protocol), this enables e-mail exchange between the SAP system and other mail server, without using external components. Both outbound and inbound processings are possible. It means that a SAP Netweaver system could receive mail from outside and manage attachments… automatically.
A vulnerability was found, by Joris van de Vis, on SAP Class CL_UWS_FORM_RUNTIME_MAIL, where the workload “does not sufficiently validate document accepted from an untrusted source” (source : SAP Note 2308217). It leads to several impacts like arbitrary files retrieval or denial-of-service.
How to check if you are vulnerable ?
To able an attacker to exploit this vulnerability some prerequisites must be enabled in the target. Below the verifications you need to perform on your system to know if your are vulnerable or not against this threat.
SAP_ABA version ?
Correction is provided for each SAP_ABA Software component version in following support package numbers. Under it, the SAP system have the security bug.
75A – SAPK-75A03INSAPABA
750 – SAPK-75003INSAPABA
740 – SAPKA74015
731 – SAPKA73118
730 – SAPKA73015
720 – ALL SUPP. PACKAGES
711 – SAPKA71115
702 – SAPKA70218
701 – SAPKA70118
700 – SAPKA70033
SMTP activated ?
Navigate to transaction smicm / Goto / Services, then check if the entry ‘smtp’ exists and is enabled.
Inbound mail processing ?
Check if you perform some inbound mail processing, with transaction scot / Settings / Inbound Messages / Inbound Processing. Then verify if you use the CL_UWS_FORM_RUNTIME_MAIL class into you configuration list.
SMTP service remotely accessible ?
Is your SAP SMTP service, configured in smicm, accessible ?
DDoS Attack PoC
What about if an attacker crashes your SAP system during the monthly closure for hours or days ? Denial of service is one of the most important risk about SAP System, and also one of the easiest way to exploit this kind of bug.
- From attacker machine, just send a tiny mail with a malicious attachment
- Few seconds after, memory fires up and freezes the SAP system
And it could be scripted to send this mail every half hour… or so.
The DDoS affect all OS types, but if the SAP System runs on Windows it’s also possible to use this vulnerability to retrieve the NTLM hash of SAPserviceSID user, owner of SAP services, by sending another crafted mail with malicious attachment.
Normally replay the login isn’t possible with this user (Option : Allow log on locally disable is set). But, highlighted by Joris during last Troopers conference, sometimes you can crack it and re-use it…
Because generally SAP Administrators doesn’t change regularly this password and it’s common to find it as “SAP master password” setting up during installation. So testing this password on OS users sidadm, sapadm or SAP users SAP*, DDIC, etc could work.
Remediation and conclusion
Below initial recommendations to mitigate this risk :
_ Disable SMTP service on SAP System if you don’t use it.
_ Narrow network access to SMTP service.
_ Patch your SAP System following security notes : 2308217 and 1712860.
_ Update password of SAPserviceSID OS user to not match with SAP Master password.
You’ve got mail – Joris van de Vis – Troopers 2017.
smbrelayx – Alberto Solino – Core Security
Configuring SAP SMTP Service – Tobias Hofmann – SAP Blog
SAP Note 455140 – Configuration of e-mail, fax, paging/SMS via SMTP
SAP Note 2308217 – Missing XML Validation vulnerability in Web-Survey
SAP Note 1712860 – iXML: Protection against attacks via a DTD
Check out our SAP Security offer :
- SAP Audit Assessment
- SAP Penetration Testing
- Remediation Process