Severe SAP NetWeaver Vulnerability Allows Attackers to Bypass Authorization Checks

SAP has released nineteen security patches in its June Patch Day, addressing critical vulnerabilities that could allow attackers to bypass authorization controls and escalate privileges across multiple enterprise systems.

The update includes two HotNews Notes and seven High Priority Notes, with immediate action recommended for organizations running affected SAP environments.

The most severe vulnerability, tracked as SAP Security Note #3600840 with a CVSS score of 9.6, affects the Remote Function Call (RFC) framework in SAP NetWeaver Application Server AS ABAP.

This critical missing authorization check vulnerability enables authenticated attackers to bypass standard authorization controls on the S_RFC authorization object when using transactional (tRFC) or queued RFCs (qRFC).

Under specific conditions, attackers can exploit this vulnerability to achieve privilege escalation, critically impacting both application integrity and availability.

The vulnerability requires immediate kernel updates, with SAP warning that the patch may necessitate additional S_RFC permissions for some users.

Organizations can identify affected users and activate the additional authorization check by setting the profile parameter rfc/authCheckInPlayback to 1, as detailed in FAQ SAP Note #3601919.

SAP NetWeaver Vulnerability

Several high-priority vulnerabilities demand immediate attention across SAP’s business application portfolio.

SAP Security Note #3609271, rated 8.8 on the CVSS scale, addresses a vulnerability in SAP GRC that allows low-privileged users to initiate transactions capable of modifying or controlling transmitted system credentials.

Another significant vulnerability, covered by SAP Security Note #3606484 with a CVSS score of 8.5, involves a missing authorization check in SAP Business Warehouse and SAP Plug-In Basis.

This vulnerability enables unauthorized deletion of database tables through a remote-enabled function module without proper authorization verification.

Cross-site scripting vulnerabilities also feature prominently in this release.

SAP Security Note #3560693 patches an XSS vulnerability in SAP BusinessObjects Business Intelligence BI Workspace with a CVSS score of 8.2, where insufficient input sanitization allows unauthenticated attackers to inject malicious scripts that execute in victims’ browsers.

Comprehensive Patch Release

The Onapsis Research Labs played a significant role in identifying and helping remediate four vulnerabilities covered by two SAP Security Notes in this release.

Their contributions include discovering three vulnerabilities in SAP Master Data Management Server, addressed by SAP Security Note #3610006 with a CVSS score of 7.5.

These vulnerabilities include two memory corruption vulnerabilities that could trigger memory read access violations through specially crafted packets, potentially causing server process failures and impacting application availability.

Research also identified an insecure session management vulnerability allowing attackers to gain control of existing client sessions without re-authentication.

Additionally, the research team contributed to patching a cross-site scripting vulnerability in SAP NetWeaver AS ABAP’s keyword documentation, addressed by SAP Security Note #3590887 with a CVSS score of 5.8.

This vulnerability resulted from insufficient URL request validation, enabling unauthenticated attackers to inject malicious JavaScript through unprotected parameters.

Organizations should prioritize implementing these patches immediately, particularly the critical RFC framework vulnerability, to maintain security posture across their SAP environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.