- CVSS Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- Affected Component: SAP NetWeaver AS for ABAP and ABAP Platform (Informix Database Interface)
- Description: A critical SQL injection vulnerability exists due to insufficient input validation in certain Remote Function Call (RFC) enabled function modules. Attackers with basic user privileges can exploit this vulnerability to manipulate database queries on the Informix database, leading to a complete compromise of the system’s confidentiality, integrity, and availability.
- Priority: Correction with high priority
Recommendation: Immediate action is required. Apply the security patches provided in SAP Security Note 3550816 to deactivate the vulnerable functions. Additionally, review and adjust authorizations related to RFC calls against function group SDBI, ensuring these functions are not exposed to unauthorized users.
Technical Details
The vulnerability arises from improperly secured RFC-enabled function modules that interact with the Informix database. These functions accept user-supplied input without adequate validation or sanitization, directly incorporating it into SQL queries executed against the database.
Analysis of the Vulnerable Function: CHECK_DBA_DBSP_ARCH
The provided function CHECK_DBA_DBSP_ARCH is designed to check the database spaces (dbspaces) for archival purposes in an SAP system utilizing an Informix database. The function performs SQL operations based on user-controlled input variables.
Data Flow Leading to Vulnerability:
The data flow identified by the RedRays ABAP Code Scanner highlights how user-controlled input reaches the vulnerable SQL statements:
JOBID_TO_USE ↓ ARCH_JOB_TABLE-JOBID ↓ EXEC SQL SELECT ... WHERE JOB_ID = :JOBID_TO_USE
This flow demonstrates that the variable JOBID_TO_USE, potentially influenced by user input, is directly used in an SQL WHERE clause without proper safeguards.
Vulnerable Function Code:
FUNCTION CHECK_DBA_DBSP_ARCH .
DATA: BEGIN OF ARCH_JOB_TABLE OCCURS 10,
JOBID TYPE I,
REQ_ID TYPE I,
DBS_ID TYPE I,
END OF ARCH_JOB_TABLE.
DATA: NO_REQUESTS_FOR_JOBID TYPE I,
NO_REQUESTS_EXPECTED TYPE I,
JOBID_TO_CHECK TYPE I,
JOBID_TO_USE TYPE I,
DBSID_IS_NULL.
* check if local call
if system_struct-sysid = sy-sysid or system_struct-sysid = space.
* get all volume sets without write protection from table ARC_VSET
CLEAR: ARCH_JOB_TABLE. REFRESH: ARCH_JOB_TABLE.
EXEC SQL PERFORMING APPEND_ARCHJOB.
SELECT B.JOB_ID, A.AE_RID, A.AE_DSID
FROM SYSMASTER:ARC_ARCHIVE_EVENT A, ARCH_HIST B
INTO :ARCH_JOB_TABLE
WHERE A.AE_LEVEL = 0
AND A.AE_RID = B.REQ_RID
ORDER BY 1 DESC
ENDEXEC.
CLEAR: NO_REQUESTS_FOR_JOBID, NO_REQUESTS_EXPECTED,
JOBID_TO_CHECK, JOBID_TO_USE, DBSID_IS_NULL.The code above shows multiple SQL statements where variables like :ARCH_JOB_TABLE-JOBID are directly used without validation.
Example Scenario:
An attacker with basic user privileges could manipulate the value of JOBID_TO_USE to inject SQL code. For instance, if the attacker sets JOBID_TO_USE to a value like 0 OR 1=1, the SQL query becomes:
SELECT COUNT(*) FROM ARCH_HIST WHERE JOB_ID = 0 OR 1=1
This manipulation could cause the query to return unintended results or expose sensitive data.
Detection and Analysis with RedRays ABAP Code Scanner
The RedRays ABAP Code Scanner efficiently identified this vulnerability by analyzing the data flow and pinpointing the insecure use of variables in SQL statements.
Identified Issue:
SQL Injection Risk in EXEC SQL Statements
Description: The function employs EXEC SQL statements with variables like :JOBID_TO_USE and :ARCH_JOB_TABLE-JOBID without proper validation or sanitization. This can potentially allow attackers to manipulate SQL queries and perform injection attacks.
Severity:
High
Data Flow Analysis:
JOBID_TO_USE ↓ ARCH_JOB_TABLE-JOBID ↓ EXEC SQL SELECT ... WHERE JOB_ID = :JOBID_TO_USE
The scanner traced the flow of user-influenced data into critical SQL statements, highlighting the absence of safeguards against injection.
Mitigation Steps
- Apply Patches: Implement the support package or correction instructions provided in SAP Security Note 3550816. This will deactivate the vulnerable functions or apply necessary fixes.
- Restrict RFC Access: As a workaround, restrict RFC calls to the function group
SDBI. Ensure that functions within this group are not listed in the authorization objectS_RFCfor users who do not require access. - Input Validation: Modify the vulnerable function to include proper input validation and sanitization. Ensure that all variables used in SQL statements are checked for malicious content.
- Use Parameterized Queries: Where possible, use parameterized queries or prepared statements to interact with the database. This approach prevents SQL injection by ensuring that user input is treated as data, not as part of the SQL command.
- Code Review and Refactoring: Perform a thorough code review of all RFC-enabled functions that interact with the database. Refactor code to follow secure coding practices.
- Regular Security Scans: Employ code scanning tools like RedRays ABAP Code Scanner regularly to detect and remediate vulnerabilities early in the development lifecycle.
Additional References
For further information and guidance, refer to SAP Note 3550817. This note provides additional context and instructions related to this vulnerability.
Conclusion
SQL injection vulnerabilities pose a significant threat to SAP systems, potentially allowing attackers to access or manipulate critical business data. The identified vulnerability in the CHECK_DBA_DBSP_ARCH function underscores the importance of secure coding practices and regular security assessments.
By leveraging tools like RedRays ABAP Code Scanner, organizations can proactively detect such vulnerabilities. It is essential for SAP developers to validate all input and use secure methods for database access to prevent injection attacks.
