Preface: In the digital world, it always has unexpected problems.
Background: SAP kernel is the core component of any SAP system. It includes executable files on the SAP server, which are used to connect to the system and execute SAP programs. In the SAP system environment, remote function call (RFC) is one of the main communication protocols used.
Remark: Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. RFC calls a function to be executed in a remote system.
Vulnerability details (official): CVE-2021-40501 – Missing Authorization check in ABAP Platform Kernel
(Product – SAP ABAP Platform Kernel, Versions – 7.77, 7.81, 7.85, 7.86)
My observation: The server-side implementation of the proprietary RFC protocol. Remote attackers capable of crafting special requests may exploit this vulnerability to claim a given identity that causes an authentication bypass in the SAP kernel. Similar vulnerability not the 1st time discovered.
Reminder: Due to the criticality and the impact on systems beyond the vulnerable system, we strongly recommend applying the corresponding kernel patch.
Official announcement – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864