SAP Solution Manager Missing Authentication Vulnerability (CVE-2020-6207)

Tracked as CVE-2020-6207, an age-old critical vulnerability with a CVSS score of 10 has come into the limelight at the start of 2021. The vulnerability belongs to SAP Solution Manager version 7.2 (March 2020), for which SAP released a patch in March 2020.

SolMan is a centralized application used to manage on-premises, hybrid, and cloud IT systems. Manipulation with an unknown input leads to a privilege escalation vulnerability. CWE has classified the issue as CWE-269. Due to CVE-2020-6207, when default configurations were used, an unauthenticated remote attacker could execute operating system commands as the SMDAgent on each host. The attacker could then exploit other vulnerabilities to potentially gain access to the full SAP landscape.

SAP Solution Manager (User Experience Monitoring), version 7.2, due to Missing Authentication Check, does not perform any authentication for a service, resulting in complete compromise of all SMDAgents connected to the Solution Manager. SolMan’s End User Experience Monitoring (EEM) can be used to deploy scripts in other systems, leading to the hijack of “every system” connected to SolMan via remote code execution (RCE).

A researcher, Dmitry Chasuhin has release a PoC for CVE-2020-6207 that checks for missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) and then exploits them. This leads to RCE on SAP SMDAgents connected to SAP Solution Manager.

Affected Products
SAP Solution Manager (SolMan), version 7.2

Solution
SAP Product Security Response Team has shared information and strongly recommends that users apply patches on a priority to protect their SAP landscape.

Detection
Qualys customers can scan their network with QID 87437 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 
https://github.com/chipik/SAP_EEM_CVE-2020-6207 
https://www.zdnet.com/article/automated-exploit-of-critical-sap-solman-vulnerability-detected-in-the-wild/ 
https://twitter.com/_chipik/status/1349713193443209216 

Leave a Reply

Your email address will not be published. Required fields are marked *