Missing authentication flaw in lynchpin component targeted

Hackers actively scanning for vulnerable SAP systems after exploit gets dropped on GitHub

Threat levels have ratcheted up a notch about miscreants who posted an exploit that targets a security vulnerability in SAP’s enterprise software.

The functional exploit goes after systems still vulnerable to CVE-2020-6207, a missing authentication check in EEM Manager, a component of SAP Solution Manager (SolMan).

SAP patched the critical vulnerability last March, but even so a significant minority of systems might still be susceptible.

Security watchers at Onapsis Research Labs who discovered the flaw last year this week warned that an exploit had been posted on GitHub.

“A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk – impacting cybersecurity and regulatory compliance,” Onapsis warned in a blog post.

Heart and SolMan

SAP SolMan is an administrative system used in every SAP environment. Its role and functionality is roughly comparable to Active Directory in Windows.

Onapsis adds: “SAP SolMan is often overlooked in terms of security; in some companies, it does not follow the same patching policy as other systems.”

Read more of the latest security vulnerability news

Patching fully defends against the exploit. Onapsis warned that its team has logged active attempts to scan for unpatched systems.

Onapsis is yet to respond to our request to estimate how many systems might still be vulnerable to attack.

SAP responded to The Daily Swig's request for comment with a statement urging its customers to patch vulnerable systems.

SAP Product Security Response Team frequently collaborates with research companies to ensure responsible disclosure of vulnerabilities. The vulnerability in question has been fixed on SAP Security Patch Day – March 2020.

We strongly advise our customers to secure their SAP landscape by applying the security note 2890213 from the SAP Support Portal.

A SAP spokesperson added: “The instructions in the security note in question also include interim measures, but applying the security patch is the recommended approach.”

Network security experts warned that the critical vulnerability is now easy to exploit, adding that the consequences of a successful attack could be severe.

Satnam Narang, staff research engineer at cyber exposure management specialists Tenable, commented: “The recent publication of a proof-of-concept exploit script for a critical vulnerability in the SAP Solution Manager poses significant challenges for cyber defenders.

“The flaw, identified as CVE-2020-6207, is a missing authentication vulnerability, meaning an attacker can authenticate to vulnerable systems by simply trying to connect,” he added.

YOU MIGHT ALSO LIKE VoIP vulnerability: CoTURN patches access control protection bypass