Cyber security researchers warn of a publicly available, fully functional exploit that could be used against SAP enterprise software.
The exploit takes advantage of a vulnerability that is tracked as CVE-2020-6207which can be traced back to a missing authentication check in the SAP Solution Manager (SolMan) version 7.2
JUICE SolMan is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments and acts as a central hub for the implementation and maintenance of SAP systems such as ERP, CRM, HCM, SCM, BI and others.
“Successful exploitation could allow an unauthenticated remote attacker to perform highly privileged administrative tasks on the connected network SAP SMD agents“, Researcher from Onapsis calledrelated to the Solution Manager Diagnostics toolset, which is used to analyze and monitor SAP systems.
The vulnerability, which has the highest possible base CVSS score of 10.0, was identified by SAP as part of their March 2020 Update.
Exploitation methods that exploit the bug were later introduced on the Black Hat Conference last August by Onasis researchers Pablo Artuso and Yvan Genuer to highlight possible attack techniques that rogues could develop to attack SAP servers and gain root access.
The critical flaw was in SolMans Monitoring the user experience (formerly End-User Experience Monitoring or EEM) component, which exposes every business system connected to the Solution Manager to a potential risk.
The public availability of Proof-of-Concept (PoC) exploit code therefore exposes unpatched servers to a range of potential malicious attacks, including:
- Shut down any SAP system in the landscape
- Getting IT to control deficiencies that affect financial integrity and privacy, leading to regulatory violations
- Deletion of data in the SAP systems, which leads to operational disruptions
- Assigning superuser privileges to existing or new users so that those users can perform critical operations, and
- Reading out sensitive data from the database
“While exploits are regularly published online, this was not the case with SAP vulnerabilities, for which publicly available exploits were limited,” said Onapsis researchers.
“Publication of a public exploit increases the likelihood of an attempted attack by expanding potential attackers not only to SAP experts or professionals, but also to script kiddies or less experienced attackers who can now use public tools instead of creating them . ” their own.”