Critical Vulnerability in SAP NetWeaver lead to Supply Chain Attack

A critical vulnerability patched recently in SAP NetWeaver in ABAP Platform could be abused to set up supply chain attacks. Dubbed as an improper authorization issue, the security error allows an attacker to tamper with transport requests, thus bypassing quality gates and transferring code artifacts to production systems.

Tracked as CVE-2021-38178 and featuring a CVSS score of 9.1, the critical vulnerability was addressed on the October 2021.

SAP instances that are deployed in production instances for development, integration, and testing, with all instances often sharing a central transport directory, where files needed for deploying changes from development to production are stored. Transport requests are used to deploy modifications throughout the SAP system line, and these requests are assumed to be unmodifiable once exported. Thus, for any new change, a different request would be needed.

An attacker, or a malicious insider with sufficient permissions on a compromised system has a window of opportunity between the export of transport requests and their import into production units, when they could change the release status from ”Released” to ”Modifiable.”

A transport request can be tampered with after it has passed all quality gates, and the attacker could add a payload to be executed after import into a target system, thus opening the door to supply chain attacks. Attackers may add malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution.

All SAP environments where a single transport directory is used at various staging levels are vulnerable and organizations are advised to apply the available patches and check for manipulations of transport requests before importing into production.