Researchers Identify SAP Flaw ExploitUnpatched Authentication Vulnerability in SAP Solution Manager Can Make Apps Vulnerable
An exploit that takes advantage of an authentication vulnerability in SAP Solution Manager can lead to a compromise of other connected SAP applications, according to Onapsis Research Labs.
The authentication flaw exploit, now tracked as CVE-2020-6207, was published on GitHub, Onapsis researchers discovered. The fully functional exploit automatically searches for servers that contain the vulnerability in SAP SolMan, a centralized platform for managing SAP and other systems, they say.
SAP patched the flaw in March after being alerted by Onapsis, the researchers report. But threat actors can use the published exploit to compromise unpatched SAP platforms.
Onapsis has detected scanning activities for the exploit originating from Europe and Asia.
"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP experts or professionals but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own," says Sebastian Bortnik, Onapsis' director of research.
Compromised SAP applications that are connected to the SolMan platform can place "an organization's business process and data at risk, impacting cybersecurity and regulatory compliance," Onapsis reports.
Because SAP Solution Manager is usually not exposed to the internet, Bortnik says the exploit “is much more useful for internal attackers or as a post-exploitation tool once the attacker has breached the network, and therefore the exploit is run in the internal network, not through the web."
A Critical Vulnerability
The vulnerability - a missing authentication check - can lead to the compromise of all SAP applications connected to SolMan, the report says.
The vulnerability has a CVSSv3 score of 10.0, the highest risk level. The research report says remote actors can exploit this vulnerability to run commands to achieve full privileges. They can also conduct other malicious activities, such as:
- Shutting down any connected SAP systems;
- Deleting any data in the SAP systems, including key data that can cause business disruption;
- Assigning super-user privileges to any user, enabling them to run business operations that would normally require special privileges;
- Reading sensitive data from the database, including employee and customer personal information.
But wide exploitation of the vulnerability is unlikely because of the complex nature of SAP's infrastructure, Bortnik says.
In July 2020, cybersecurity experts identified a zero-day vulnerability, tracked as CVE-2020-6287, in SAP's NetWeaver Application Server, causing SAP to urge prompt patching (see: Users Urged to Patch Critical Flaw in SAP NetWeaver AS).
In June 2020, researchers at the security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).