Cybersecurity researchers have warned of a fully functional, publicly available exploitation that could be used to target SAP enterprise software.
The exploit leverages a vulnerability, tracked as CVE-2020-6207, resulting from a lost authentication check in version 7.2 of SAP Solutions Manager (SolMan).
SAP SolMan is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments, acting as a central hub for operating and maintaining SAP systems such as ERP, CRM, HCM, SCM, BI , and others.
“Successful exploitation could allow a remote remote attacker to perform highly privileged administrative tasks in the connected SAP SMD Agents,” researchers from Onapsis said, referring to the Resolution Manager Diagnostics toolkit used to analyze and monitor SAP systems.
SAP addressed the vulnerability, which has the highest possible CVSS base score of 10.0, as part of its March 2020 updates.
Later, exploitation methods that triggered the flaw were demonstrated at a Black Hat conference last August by Onasis researchers Pablo Artuso and Yvan Genuer to highlight possible attack techniques that rogue parties could devise to hit SAP servers and gain root access.
The critical flaw resided in the SolMan User Experience Monitoring component (formerly End User Experience Monitoring or EEM), putting all business systems associated with the Solution Manager at risk of potential compromise.
Thus, the public availability of Proof-of-Concept (PoC) exploitation code, leaves unmatched servers vulnerable to a number of potential malicious attacks, including:
- Close any SAP system in the landscape
- Causing IT to manage defaults affecting financial integrity and privacy, leading to regulatory compliance breaches
- Deleting any data in the SAP systems, causing business disruption
- Assign supervisor privileges to any existing or new user, allowing those users to run critical operations, and
- Read sensitive data from the database
“While sports are regularly released online, this has not been the case with SAP vulnerabilities, for which publicly available sports have been limited,” Onasis researchers said.
“Releasing public exploitation significantly increases the chances of an attack attempt as it also expands potential attackers not only to SAP experts or professionals, but also to script-kiddies or less experienced attackers who can now trigger public tools instead of creating their own. “