As part of our daily research tasks in CORE's Security Consulting Services, we strive to continuously improve our knowledge of specific technologies and attack methods. In alignment with previously released advisories and publications, I wanted to share some details about one of the discoveries made in conjunction with Francisco Falcon, a member of CORE’s Exploit Writing Team. These findings were included in a CORE Labs Advisory, published earlier this week.
One of many default installation services available on every SAP NetWeaver Application Server is called Message Server. This service primarily performs two functions. First, this service manages the communication between the different components running on the application server. Secondly, it provides application-level load-balancing for the clients connecting to the SAP system.
Since the network protocol used by the service is proprietary and its documentation isn't publicly available, our research included playing with network packets to learn some details of the protocol. The research was fruitful and some of the results included the security advisory published following our responsible disclosure policy, which was fixed by SAP.
Technical Details Regarding SAP Netweaver Message Server Vulnerabilities
This vulnerability can be triggered in the service by sending a specially crafted network packet to the Message Server. The application then fails at validating the information sent by the client, resulting in a memory corruption issue. Successful exploitation of this issue can be used to grant administrative privileges to the attacker's connections, thus allowing the attacker to change the service's parameters, or to overwrite function pointers, which could ultimately lead to unauthenticated remote code execution.
An unauthenticated user can send malformed administrative messages to the server and this can crash the application, leaving the service unavailable.
What is the Business Risk?
These vulnerabilities represent many potential risks. These vulnerabilities may allow for financial fraud, the theft of critical business information or system sabotage. Given the characteristics of the Message Server service, the service's port must be accessible for any SAP GUI user. This requirement of availability increases the attack surface, as any attacker who can access this port could take advantage of these vulnerabilities to execute remote code or render the service unavailable to legitimate users, without requiring any valid credentials.
It is important to note that the standard recommendations to secure the Message Server service aren't enough to stop these attacks. Disabling the service’s “monitor mode”, decoupling Message Server’s external/internal ports or implementing Access Control Lists will not prevent the potential exploitation of this vulnerability.
How you can Mitigate Risk
A fix is available in SAP security note 1800603. Additionally, we encourage SAP administrators to consider disabling the load-balancing capabilities and restricting network access to the Message Server service's ports. Access to TCP ports 36NN/39NN should only be allowed to the required application servers until all servers are fully patched.
This blogpost was originally written by Martin Gallo. Additional comments added by Francisco Falcon.