ERPScan security researchers alerted that a remote code execution (RCE) vulnerability has been found in SAP GUI (Graphical User Interface). The flaw exposes unpatched systems to malware attacks, mostly to ransomware.
The bug was found in December last year and SAP was notified of the problem immediately but the fix was released only in SAP`s March 2017 security updates. The vulnerability was discovered in SAP GUI for Windows 7.20 to 7.50 and was evaluated with a High severity rating.
SAP GUI is a platform, offering remote access to the SAP central server in a company network. In order to exploit the flaw and bypass SAP GUI security to execute the code, the attackers would need to use a special Advanced Business Application Programming (ABAP) code.
The bug could allow the threat actors to “access arbitrary files and directories located in an SAP-server filesystem, including an application’s source code, configuration, and critical system files”, states ERPScan, a company specialized in securing SAP and Oracle applications. If the SAP system is vulnerable, the attackers could use the flaw to obtain business-related, technical and other critical information stored in the system.
“When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt.” – explains ERPScan.
According to the researchers, the regsvr32.exe can also be used to load DLL files from a remote SMB share and execute DllMain function. In order to reproduce the bug, one and compile and upload a DLL file to a SMP share, then create an ABAP program and replace the DllMain path to the share path, and then run the program.
“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation.” – says Vahagn Vardanyan, one of the ERPScan researchers who discovered this bug.
In response to a SecurityWeek inquiry, Darya Maenkova at ERPScan explains that a threat actor can easily create a malicious transaction and then compromise the SAP Server to put said transaction into an autoloading mode. The attackers could also use a remotely exploitable vulnerability to compromise the server, adds Maenkova.
“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware. Next time a user tries to run an SAP GUI application, the malicious transaction will be executed and prevent from logging on SAP Server.” – Maenkova says.
Once a system is compromised, the attackers can execute any command remotely. The command is running with the privileges of the service that executed it, meaning that a ransomware attack that demands a ransom in exchange of regaining access to the compromised system is only one of the possible variants the vulnerability can be exploited for. And yet, ransomware infections remain one of the easiest ways to exploit this flaw for monetary gain.
The good news is, though, that, according to ERPScan, the bug isn’t being used in the wild. However, customers are strongly advised to apply the released patch as soon as possible as well as to implement “a vulnerability management process to continuously monitor, identify, evaluate, and mitigate vulnerabilities.” The patching process itself is rather time-consuming as the patch has to be installed on each computer within the network, adds ERPScan.