[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for SAP NetWeaver Please refer to http://www.esnc.de for the original security advisory, updates and additional information. ------------------------------------------------------------------------ 1. Business Impact ------------------------------------------------------------------------ This vulnerability allows injection of ABAP code to the remote SAP system. In SAP security, this is the equivalent of getting an ultra-reliable ring 0 exploit which works through the network and never crashes. By exploiting this vulnerability an attacker can e.g. inject code which saves the passwords of all connecting SAP GUI users in a remote file, steal or change sensitive data such as HR salary information, execute bank transactions and transfer money, or simply plant an SAP backdoor for accessing the system later. The attacker can also manipulate or corrupt ABAP programs shipped by SAP and make the system inoperable. Risk Level: High ------------------------------------------------------------------------ 2. Advisory Information ------------------------------------------------------------------------ -- ESNC Security Advisory ID: ESNC-2013-004 -- CVE ID: CVE-2013-3243 -- Original security advisory: http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/57-esnc-2013-004-remote-abap-code-injection-in-opentext-ixos-ecm-suite-for-sap-netweaver -- Reporting Date: 15.09.2012 -- Vendor Patch Date: 16.11.2012 -- Public Advisory Date: 24.04.2013 -- Researcher: Ertunga Arsal ------------------------------------------------------------------------ 3. Vulnerability Information ------------------------------------------------------------------------ -- Vendor: OpenText/IXOS -- Affected Components: ECM Suite - Doculink -- Affected Versions: Please consult the vendor -- Vulnerability Class: Remote ABAP Injection -- CVSS v2 score: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C) -- Remotely Exploitable: Yes -- Authentication Required: Yes -- Additional Notes: Since we have seen this component at every customer we visited to date, we believe this security issue affects many enterprises running SAP. An exploit for this vulnerability is available in ESNC Penetration Testing Suite. ------------------------------------------------------------------------ 4. Vulnerability Timeline ------------------------------------------------------------------------ 15.09.2012 Informing the vendor about the discovery of a critical security issue and asking for a contact person to discuss the matter. 24.09.2012 Second attempt. This time to product support. A message came confirming a ticket is opened and they will respond within 4 hours. 06.10.2012 Still no response. We summon a major enterprise customer of ours, which is also a customer of OpenText, for escalation. 25.10.2012 Key account manager from OpenText calls the customer and mentions they are still in clarification about the topic. 04.11.2012 Day 50. Humans still haven't noticed they did not ask any details about the vulnerability yet. 07.11.2012 OpenText asks information about the vulnerability. 16.11.2012 OpenText releases a correction. Correction basicly tells to change the type of the vulnerable function from remote to local 04.12.2012 Telco about why this is a bad idea. 06.12.2012 OpenText informs us that they are implementing additonal measures. 18.01.2013 OpenText informs us that they want to close the ticket. ------------------------------------------------------------------------ 5. Solution ------------------------------------------------------------------------ The vendor's fix can be found in http://mimage.opentext.com/support/ecm/secure/patches/oneoffs/eccn-1351/llsaps-3271.zip. Please consult the vendor for more accurate information and necessary steps. To prevent this and similar flaws, customers can use ESNC Code Security for scanning their own ABAP code or for assessing the security of external add-ons installed on their SAP systems. ------------------------------------------------------------------------ About ESNC ------------------------------------------------------------------------ ESNC GmbH, Germany is specialized in SAP security audit, SAP penetration testing, ABAP security review and SAP vulnerability assessment services. It's flagship product ESNC Security Suite is used by many large enterprises for vulnerability scanning their SAP ABAP and Java AS systems, running ABAP code security reviews, enforcing security baselines and SAP security monitoring. For more information about our products and services, please visit our web page at http://www.esnc.de