Unauthenticated user impersonation (auth bypass) in SAP

Posted on February 08, 2022 in Services & System Applications

Summary

A request smuggling issue in SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher allows unauthenticated user impersonation. These systems are commonly Internet-facing. The flaw has been assigned a bug alert severity of 'critical', and the vendor has supplied patches.

Details

On Tuesday, February 8, 2022, SAP published a notice detailing a major request smuggling flaw within their SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher products, which SAP claims could lead to authentication bypass.

Publicly available documentation is scarce, but the Bug Alert team has analyzed the PoC and SAP documentation. It appears that SAP can utilize the REMOTE_USER header (which is usually stripped from untrusted traffic) to authenticate a user through an authenticating proxy or SSO module.

Again, publicly available information is limited at this time, but it appears likely that this request smuggling issue could be utilized to insert the REMOTE_USER request header and impersonate another SAP user, including the present-by-default 'Administrator' account.

This vulnerability been assigned CVE-2022-22536. Patches are available now from the vendor.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $150 USD to send. If you would like to support the project, you can learn more here.


Additional vulnerability discussion can be found on GitHub.
Have information to contribute? Make a pull request!