External risk intelligence

SAP NetWeaver Allows Unauthorized Command Execution.

CVE advisoryKnown Exploit

CVE-2021-38163

An authenticated user can upload a malicious file to SAP NetWeaver Visual Composer, leading to operating system command execution. This can result in data compromise or server unavailability, posing a business risk.

3Halo Surface Signal

Path Traversal

Sap Netweaver

7.307.317.407.50

External exposure likelihood

Halo Surface Signal score for CVE-2021-38163

SAP NetWeaver is a complex enterprise application platform that typically resides within internal corporate networks. While components may be exposed to the internet in specific enterprise portal or gateway configurations, it is not inherently an internet-edge service by default, making public reachability possible but not guaranteed for the specific Visual Composer component.

Horizon Alert

Summary of the vulnerability and why it matters

SAP NetWeaver's Visual Composer component contains a vulnerability that allows an authenticated, non-administrative user to upload a malicious file. This file can then be processed to execute operating system commands with the privileges of the Java Server process. Such commands could lead to unauthorized modification or deletion of information on the server, or cause the server to become unavailable.

Vulnerable SAP NetWeaver component
Unrestricted file upload capability
Potential for data compromise or denial of service

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability in SAP NetWeaver Visual Composer to gain unauthorized access and control over affected systems. This occurs when a non-administrative user uploads a malicious file, which is then processed by the system. The malicious file can execute operating system commands with the privileges of the Java Server process, potentially leading to data manipulation or system shutdown.

Exposure condition: Network access to SAP NetWeaver Visual Composer.
Attacker starting point: Authenticated as a non-administrative user.
Trigger and result: Upload and processing of a malicious file leads to OS command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in SAP NetWeaver's Visual Composer allows an authenticated, non-administrative user to upload and execute malicious files. This could lead to unauthorized operating system commands being run with the privileges of the Java Server process. Such commands could be used to access, modify, or delete any information on the server, or to shut down the server, causing a denial of service. The potential for significant data compromise and system disruption presents a substantial business risk.

Likely attacker skill level: Low.
Required access or conditions: Authenticated non-administrative user.
Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability in SAP NetWeaver Visual Composer allows an authenticated, non-administrative user to upload and process a malicious file. This action can lead to the execution of operating system commands with the privileges of the Java Server process, potentially resulting in unauthorized data access, modification, or server downtime. This poses a significant business risk by impacting system availability and data integrity.- Identify all SAP NetWeaver Visual Composer installations.

Restrict network access to Visual Composer.
Apply SAP Note 3084487; verify fix.

Frequently asked questions

What is SAP NetWeaver Visual Composer and its role in vulnerability CVE-2021-38163?

SAP NetWeaver Visual Composer is a component of the SAP NetWeaver platform used for developing business processes. In CVE-2021-38163, this component is vulnerable, allowing an authenticated non-administrative user to upload a malicious file.

What type of weakness does CVE-2021-38163 represent and how is it classified?

CVE-2021-38163 represents an unrestricted file upload vulnerability, classified under CWE-22. This weakness allows attackers to upload files without proper validation, which can be a precursor to further exploitation.

How can an attacker exploit this SAP NetWeaver vulnerability and what is the scope?

An authenticated non-administrative user can upload a malicious file that, when processed, executes operating system commands with the privileges of the Java Server process. This can lead to unauthorized access, modification, or deletion of server information, or denial of service, impacting the entire system.

What is the relevance of CVE-2021-38163, referencing Halo Surface Signal?

Halo classifies this CVE as having 'Possible' relevance because SAP NetWeaver, while an enterprise application, may be exposed externally depending on its configuration, making exploitation feasible through network access.

What practical steps should be taken to address the SAP NetWeaver vulnerability?

To address this vulnerability, organizations should identify all SAP NetWeaver Visual Composer installations, restrict network access to the component, and apply SAP Note 3084487, verifying that the fix is successfully implemented.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.