A team of enterprise resource planning security experts in Massachusetts has identified a publicly available functional exploit affecting SAP.
The exploit was discovered by Onapsis research laboratories on the code hosting platform GitHub, where it was before released by Russian researcher Dmitry Chastuhin on January 14th. Researchers said the exploit can be used against SAP SolMan, the management system used in every SAP environment that is similar to Active Directory in Windows.
The fully functional exploit abuses the listing on the United States’ National Vulnerability Database CVE-2020-6207, a vulnerability in which SAP Solution Manager (User Experience Monitoring), Version 7.2, does not authenticate a service due to a missing authentication check. This vulnerability leads to the complete compromise of all SMDAgents connected to the Solution Manager.
A successful attack that exploited this vulnerability could compromise a company’s cybersecurity and regulatory compliance by compromising its business-critical data, SAP applications, and business processes.
“While exploits are regularly published online, this was not the case with SAP vulnerabilities, for which publicly available exploits were limited,” write Onapsis researchers.
“Publishing a public exploit greatly increases the likelihood of an attempted attack as it extends potential attackers not only to SAP experts or professionals, but also to script kiddies or less experienced attackers who can now use public tools instead of creating them . ” their own.”
Since it was designed to centralize the management of all SAP and non-SAP systems, SolMan has trusted connections to multiple systems. An attacker who could gain access to SolMan could potentially compromise any business system connected to it.
“Unfortunately, because it does not contain any business information, SAP SolMan is often overlooked when it comes to security; in some companies it doesn’t follow the same patching guidelines as other systems, ”the researchers found.
An attacker with SAP SolMan control could shut down systems, access sensitive data, delete data, cause IT control deficits and assign superuser rights to any new or existing user.
“It is not possible to list everything that can potentially be done in the systems if it is exploited, since the privileged control of the administrator in the systems or the execution of operating system commands for an attacker are essentially limitless,” researchers write.
Sap commented, “The SAP Product Security Response Team often works with research companies to ensure responsible vulnerability disclosure. The vulnerability in question was fixed on SAP Security Patch Day – March 2020. We urgently advise our customers to secure their SAP landscape by using the security advice 2890213 from the SAP Support Portal. “