CVE-2021-33695 – CVE-2021-33695 is a certificate validation vuln... (How to Fix)

Q: What is the severity of CVE-2021-33695?

CVE-2021-33695 has a CVSS score of 9.1 (CRITICAL). CVE-2021-33695 is a certificate validation vulnerability in SAP Cloud Connector that allows attackers to intercept and potentially manipulate communications between the connector and backend systems. This affects organizations using SAP Cloud Connector version 2.0 to connect on-premise systems to SAP Cloud Platform. Attackers could perform man-in-the-middle attacks or gain unauthorized access to sensitive data.

📋 TL;DR

CVE-2021-33695 is a certificate validation vulnerability in SAP Cloud Connector that allows attackers to intercept and potentially manipulate communications between the connector and backend systems. This affects organizations using SAP Cloud Connector version 2.0 to connect on-premise systems to SAP Cloud Platform. Attackers could perform man-in-the-middle attacks or gain unauthorized access to sensitive data.

💻 Affected Systems

Products:

SAP Cloud Connector

Versions: Version 2.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of SAP Cloud Connector 2.0 that communicate with backend systems without proper certificate validation.

📦 What is this software?

Cloud Connector by Sap

View all CVEs affecting Cloud Connector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SAP Cloud Connector communications, allowing attackers to intercept, modify, or inject malicious data into business-critical SAP transactions, potentially leading to data theft, financial fraud, or system compromise.

🟠

Likely Case

Man-in-the-middle attacks enabling eavesdropping on sensitive business data transmitted between on-premise systems and SAP Cloud Platform, potentially exposing credentials, financial information, or proprietary business data.

🟢

If Mitigated

Limited impact with proper network segmentation, certificate pinning, and monitoring, though some risk remains if attackers can position themselves within the network path.

🌐 Internet-Facing: MEDIUM - While the Cloud Connector typically sits behind firewalls, if exposed to the internet, it becomes highly vulnerable to certificate manipulation attacks.

🏢 Internal Only: HIGH - Even internally, attackers with network access could exploit this vulnerability to intercept sensitive SAP communications between on-premise and cloud systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept communications between Cloud Connector and backend systems. No authentication bypass needed once network position is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3058553

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3058553

Restart Required: Yes

Instructions:

1. Download SAP Note 3058553 from SAP Support Portal
2. Apply the patch to SAP Cloud Connector 2.0
3. Restart the SAP Cloud Connector service
4. Verify certificate validation is now enforced

🔧 Temporary Workarounds

Network Segmentation

all

Isolate SAP Cloud Connector in a dedicated network segment with strict access controls to prevent unauthorized network access.

Certificate Pinning

all

Implement certificate pinning at the application or network level to ensure only trusted certificates are accepted.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to SAP Cloud Connector communications
Deploy network monitoring and intrusion detection systems to detect certificate manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if SAP Cloud Connector version is 2.0 and verify if SAP Note 3058553 has been applied. Review configuration for certificate validation settings.

Check Version:

Check SAP Cloud Connector administration interface or configuration files for version information

Verify Fix Applied:

Verify SAP Note 3058553 is applied and test certificate validation by attempting to connect with invalid certificates - connections should be rejected.

📡 Detection & Monitoring

Log Indicators:

Failed certificate validation attempts
Unexpected certificate changes in connections
Authentication failures following certificate changes

Network Indicators:

Unusual certificate authorities in TLS handshakes
Man-in-the-middle attack patterns in network traffic
Certificate mismatches in SAP communications

SIEM Query:

Search for events where SAP Cloud Connector accepts connections with invalid or unexpected certificates, or where certificate validation failures occur

📊 Metadata

CVE ID: CVE-2021-33695

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-297

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/3058553 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 Patch,Vendor Advisory
https://launchpad.support.sap.com/#/notes/3058553 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33695, you might also want to check these: