SAP security solutions vendor SecurityBridge warns that a critical bug recently addressed in SAP NetWeaver AS ABAP and ABAP Platform might be exploited to launch supply chain assaults.
The critical bug identified as CVE-2021-38178 with a CVSS score of 9.1, was fixed on the SAP Patch Day in October 2021.
SecurityBridge researchers described the vulnerability as an improper authorization issue, which allows threat actors to tamper with transport requests, thus evading quality gates and transmitting code artifacts to production systems.
Typical SAP production systems exist at the end of a line of systems consisting of SAP instances that are used for development, testing, and sometimes integration. All instances often share a single transport directory, where files needed for deploying changes from development to production are kept.
Transport requests are used to distribute modifications throughout the SAP system line, and once exported, these requests are thought to be unmodifiable. As a result, each new modification would necessitate a new request. However, SecurityBridge uncovered that standard SAP deployments include a program that does allow employees with specific authorization levels to change the header attributes of SAP transport requests.
As a result, an attacker or a malicious insider with sufficient permissions on an exploited system has a window of opportunity between the export of transport requests and their import into production units, when they could change the release status from ” Released” to ” Modifiable.”
A transport request can be tampered with after it has passed all quality gates, and the attacker could add a payload to be executed after import into a target system, thus opening the door to supply chain attacks.
“Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution,” SecurityBridge explained.
All SAP environments that employ a single transport directory at multiple staging levels are susceptible and organizations are advised to apply the available patches and check for manipulations of transport requests before importing into production.