CVE-2021-27628
📋 TL;DR
CVE-2021-27628 is a denial-of-service vulnerability in SAP NetWeaver ABAP Server and ABAP Platform that allows unauthenticated attackers to crash the system by sending specially crafted network packets. The vulnerability exists in the Dispatcher component's DpRTmPrepareReq() method due to improper input validation. Affected organizations are those running vulnerable SAP NetWeaver versions with exposed network interfaces.
💻 Affected Systems
- SAP NetWeaver ABAP Server
- SAP NetWeaver ABAP Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability causing business disruption, requiring system restart and potential data loss from interrupted transactions.
Likely Case
Service disruption affecting SAP-dependent business processes until system restart.
If Mitigated
No impact if system is patched or network access is properly restricted.
🎯 Exploit Status
No authentication required; exploitation is straightforward once packet format is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3021197 patches
Vendor Advisory: https://launchpad.support.sap.com/#/notes/3021197
Restart Required: Yes
Instructions:
1. Download and apply SAP Security Note 3021197 patches from SAP Support Portal. 2. Apply kernel updates to affected systems. 3. Restart SAP systems to activate patches. 4. Verify patch application using transaction SM51.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to SAP Dispatcher service ports (typically 3200-3299, 3300-3399 for ABAP)
Use firewall rules to limit access to trusted IPs only
SAP Router Protection
allEnsure SAP Router is properly configured and updated to filter malicious traffic
Maintain saprouttab file with authorized connections only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach SAP Dispatcher ports
- Monitor system logs for crash events and implement rapid response procedures
🔍 How to Verify
Check if Vulnerable:
Check kernel version using transaction SM51 or command 'disp+work -version'. Compare against affected versions list.Check Version:
disp+work -version (on SAP application server)Verify Fix Applied:
Verify SAP Security Note 3021197 is applied using transaction SNOTE or check kernel patch level.📡 Detection & Monitoring
Log Indicators:
- Dispatcher crash logs in dev_disp
- System termination events in system logs
- ABAP dumps indicating memory corruption
Network Indicators:
- Unusual traffic patterns to SAP Dispatcher ports
- Multiple connection attempts from single sources
SIEM Query:
source="sap_logs" AND ("dispatcher crash" OR "system terminated" OR "DpRTmPrepareReq")