"Researcher Outlines Known RFC Vulnerabilities in SAP Software That Lead to Unauthenticated Remote Code Execution"
A researcher has identified what he deems to be several critical vulnerabilities impacting enterprise software solutions operating on ubiquitous SAP platforms. In a paper presented at a recent European cybersecurity conference, Fabian Hagg describes his work on testing the server-to-server communications bugs and design flaws found in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. He said that the laboratory analysis revealed alternate logon material, cryptographic failures, memory corruptions, and Advanced Business Application Programming (ABAP) programming pitfalls. The vulnerabilities are associated with SAP's long-standing proprietary interface protocol, Remote Function Call (RFC). Three are from 2021 and 2022, while the fourth was discovered in January this year. Two are rated 9.8 on the CVSS severity scale. Although patches have been developed for all four vulnerabilities, users with unpatched versions of SAP software remain vulnerable. This article continues to discuss the attack chain presented at a security conference that could impact all enterprise software solutions running on top of SAP AS ABAP platform technology.