SAP security solutions vendor SecurityBridge warns that a severe vulnerability recently patched in SAP NetWeaver AS ABAP and ABAP Platform might be used to launch supply chain attacks. The severe flaw, identified as CVE-2021-38178 and with a CVSS score of 9.1, was patched on the SAP Patch Day in October 2021.
The security flaw, referred to as an incorrect permission problem, allows an attacker to interfere with transport requests. This enables them to circumvent quality gates and transmit code artifacts to production systems. In SAP instances, production systems are often at the end of the line for development, integration, and testing. All instances share a single transport directory where files needed for transporting changes from development to production are kept.
Transport requests are used to distribute alterations across the SAP system line, and once exported, these requests are thought to be unmodifiable. As a result, each new modification would necessitate a new request. Meanwhile, SecurityBridge found that standard SAP deployments include software that allows workers with specified authority levels to modify the header parameters of SAP transport requests.
As a result, an attacker or a malicious insider with adequate rights on a compromised system might modify the release status from “Released” to “Modifiable” between the export of transport requests and their import into production units. After passing all quality gates, an attacker can tamper with a transport request and add a payload that will be executed when the target system is imported into a target system, allowing for supply chain attacks.
“Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution,” SecurityBridge notes.
All SAP environments that employ a single transport directory at multiple staging levels are susceptible. Before importing them into production, companies should deploy the fixes and verify transport request manipulations.