CVE-2019-0304

Q: What is the severity of CVE-2019-0304?

CVE-2019-0304 has a CVSS score of 9.8 (CRITICAL). CVE-2019-0304 is a critical command injection vulnerability in the FTP function of SAP NetWeaver AS ABAP Platform that allows attackers to execute arbitrary code on affected systems. This affects multiple kernel versions across 32-bit and 64-bit architectures. Organizations running vulnerable SAP NetWeaver installations are at risk of complete system compromise.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2019-0304 is a critical command injection vulnerability in the FTP function of SAP NetWeaver AS ABAP Platform that allows attackers to execute arbitrary code on affected systems. This affects multiple kernel versions across 32-bit and 64-bit architectures. Organizations running vulnerable SAP NetWeaver installations are at risk of complete system compromise.

💻 Affected Systems

Products:

SAP NetWeaver AS ABAP Platform

Versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT; KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49; KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73; KERNEL 7.21, 7.45, 7.49, 7.53, 7.73

Operating Systems: All platforms running SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FTP functionality specifically; systems with FTP disabled may still be vulnerable if the component is present.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to application compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though exploitation could still occur.

🌐 Internet-Facing: HIGH - FTP services often exposed externally, and CVSS 9.8 indicates critical remote exploitability.

🏢 Internal Only: HIGH - Even internally, this vulnerability allows attackers with network access to compromise critical SAP systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-74 indicates improper neutralization of special elements in output used by a downstream component, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2719530

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2719530

Restart Required: Yes

Instructions:

1. Download and apply SAP Security Note 2719530. 2. Update SAP kernel to patched version. 3. Restart affected SAP systems. 4. Verify patch application through transaction SM51.

🔧 Temporary Workarounds

Disable FTP Service

all

Temporarily disable FTP functionality if not required for business operations.

Modify SAP profile parameter: rdisp/ftp_enable = 0
Restart SAP instance

Network Access Control

all

Restrict network access to SAP FTP ports (default 21212/tcp) using firewall rules.

iptables -A INPUT -p tcp --dport 21212 -j DROP
netsh advfirewall firewall add rule name="Block SAP FTP" dir=in action=block protocol=TCP localport=21212

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP systems from untrusted networks
Deploy application-level firewalls or WAF with command injection protection rules
Enable detailed logging and monitoring for FTP-related activities
Apply principle of least privilege to SAP service accounts

🔍 How to Verify

Check if Vulnerable:

Check SAP kernel version via transaction SM51 or SM50, compare against affected versions list.

Check Version:

In SAP GUI: System → Status → Other Kernel Information

Verify Fix Applied:

Verify SAP Security Note 2719530 is applied via transaction SNOTE, check kernel version is updated.

📡 Detection & Monitoring

Log Indicators:

Unusual FTP connection attempts
Command execution patterns in SAP logs
Failed authentication attempts to FTP service

Network Indicators:

Traffic to SAP FTP port 21212 with unusual payloads
Command injection patterns in network traffic

SIEM Query:

source="sap_logs" AND ("FTP" OR "21212") AND ("command" OR "injection" OR "exec")

📊 Metadata

CVE ID: CVE-2019-0304

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: June 12, 2019

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/2719530 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2719530 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Advanced Business Application Programming Platform Kernel by Sap

Advanced Business Application Programming Platform Kernel by Sap

Advanced Business Application Programming Platform Kernel by Sap

Advanced Business Application Programming Platform Kernel by Sap

Advanced Business Application Programming Platform Kernel by Sap

Advanced Business Application Programming Platform Krnl32nuc by Sap

Advanced Business Application Programming Platform Krnl32nuc by Sap

Advanced Business Application Programming Platform Krnl32nuc by Sap

Advanced Business Application Programming Platform Krnl32nuc by Sap

Advanced Business Application Programming Platform Krnl32uc by Sap

Advanced Business Application Programming Platform Krnl32uc by Sap

Advanced Business Application Programming Platform Krnl32uc by Sap

Advanced Business Application Programming Platform Krnl32uc by Sap

Advanced Business Application Programming Platform Krnl64nuc by Sap

Advanced Business Application Programming Platform Krnl64nuc by Sap

Advanced Business Application Programming Platform Krnl64nuc by Sap

Advanced Business Application Programming Platform Krnl64nuc by Sap

Advanced Business Application Programming Platform Krnl64nuc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

Advanced Business Application Programming Platform Krnl64uc by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable FTP Service

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities