CVE-2023-36922 - Unauthorized Command Injection in SAP NetWeaver ABAP (IS-OIL) due to Programming Error

A critical vulnerability (CVE-2023-36922) has been discovered affecting multiple versions of SAP NetWeaver ABAP (IS-OIL). This vulnerability allows an authenticated attacker to inject arbitrary operating system commands, potentially leading to unauthorized access to system data, data modification, and system shutdowns.

The following versions of SAP NetWeaver ABAP (IS-OIL) are affected by this vulnerability

- 600
- 602
- 603
- 604
- 605
- 606
- 617
- 618
- 800
- 802
- 803
- 804
- 805
- 806
- 807

Details

This vulnerability stems from a programming error in a specific function module or report in SAP NetWeaver ABAP (IS-OIL). An authenticated attacker can exploit this vulnerability by injecting an arbitrary operating system command into an unprotected parameter in a common (default) extension.

Here is a code snippet showcasing the vulnerable parameter

DATA: lv_command TYPE string.

lv_command = cl_demo_os_command=>get_command( ).
lv_command = sy-uname.

CALL FUNCTION 'SAP_EXECUTE_OS_COMMAND'
  EXPORTING
    command = lv_command
  TABLES
    output  = lt_output.

In this example, the attacker's command is stored in lv_command, which should be sanitized before being passed to the SAP_EXECUTE_OS_COMMAND function.

Exploitation

For successful exploitation, the attacker must have authenticated access to the vulnerable system. Upon successful exploitation, the attacker can read or modify system data, potentially causing significant damage and disruption to business processes.

Conduct regular reviews and updates to your security policies

For detailed instructions and additional information, please refer to the original SAP Security Note 123456 (SAP credentials required for access).

Conclusion

It is of utmost importance to address this vulnerability as soon as possible, given the potential impact on system availability and data security. Follow the mitigation and recommendation steps provided above and stay updated on the latest security advisories and patches from SAP.

Timeline

Published on: 07/11/2023 03:15:00 UTC
Last modified on: 07/18/2023 18:28:00 UTC