Automated exploitation of a critical SAP SolMan vulnerability discovered in the wild



A week after a working exploit was published on the Internet, automated tests for servers with a serious vulnerability in SAP software were discovered.

The vulnerability tracked as CVE-2020-6207, is a bug in the SAP Solution Manager (SolMan), version 7.2.

The vulnerability was rated with a CVSS base score of 10.0 – the highest severity level available – and is caused by a lack of authentication verification.

SolMan is a centralized application for the management of on-premise, hybrid and cloud IT systems. When describing the bug at Black Hat USA in August, the Onapsis researchers called the application the “technical heart of the SAP landscape”.

SolMan’s End User Experience Monitoring (EEM) function contained the authentication problem. EEM can be used to deploy scripts in other systems, and consequently, compromising EEM can lead to the hijacking of “any system” connected to SolMan via Remote Code Execution (RCE). after onapsis.

In March 2020, SAP released a patch for CVE-2020-6207 (SAP Security Note # 2890213). For all unpatched servers, however, there is now an increased risk of being compromised due to the public publication of a functioning Proof-of-Concept (PoC) exploit code.

Last week, Dmitry Chastuhin has published a PoC for CVE-2020-6207 as a project for educational purposes. The security researcher said the script was “check[s] and exploit[s] missing authentication checks in the SAP EEM servlet. ”

Speaking to ZDNet, Onapsis said that “hundreds of requests” have already been discovered in the wild, likely by automated tools, and they are looking for SAP systems that are still vulnerable to the critical vulnerability. The cybersecurity firm believes the tools were developed quickly after the PoC code was released.

The requests come mainly from Europe and Asia and a large number of IPs have been documented so far.

If the company’s IT staff applied the patch, there is nothing to worry about. However, if the security fix still needs to be implemented and SolMan setups are exposed online, the creation of automated exploit tools should encourage administrators to fix the vulnerability as soon as possible.

“While exploits are regularly published online, this was not the case with SAP vulnerabilities, for which publicly available exploits were limited,” says Onapsis. “Publication of a public exploit increases the likelihood of an attempted attack by expanding potential attackers not only to SAP experts or professionals, but also to script kiddies or less experienced attackers who can now use public tools instead of creating them . ” their own.”

ZDNet has reached out to SAP and will update it when we hear something.

Previous and Related Reporting

Do you have a tip? Contact safely via WhatsApp | Signal at +447 713 025 499 or over there at Keybase: charlie0



About Author

Leave A Reply