Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news.

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news.

The most important of the notes address critical (hot news) missing authorization checks in Solution Manager. The first of them, CVE-2020-6207, features a CVSS score of 10 and impacts User-Experience Monitoring, while the second, CVE-2020-6198, features a CVSS score of 9.8 and impacts Diagnostics Agent.

Providing central management for SAP and non-SAP systems, Solution Manager requires the installation of Solution Manager Diagnostic Agent (SMDAgent) on each host. The agent is in charge of the management of communications, monitoring and diagnostic feedback.

Due to CVE-2020-6207, when default configurations were used, an unauthenticated remote attacker could execute operating system commands as the SMDAgent on each host. The attacker could then exploit other vulnerabilities to potentially gain access to the full SAP landscape.

By exploiting CVE-2020-6198, an attacker could bypass authentication, meaning that anyone with access to the network could mount an attack, even if they are not a valid Solution Manager user. Due to exploitation not requiring any kind of privileges, the bug is considered critical severity, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

Additionally, SAP addressed a path manipulation flaw in NetWeaver UDDI Server (Services Registry). Tracked as CVE-2020-6203, it features a CVSS score of 9.1. This is a directory traversal issue caused by the incorrect validation of the path provided by a user when importing UDDI content via the Services Registry.

A fourth hot news security note was included in this month’s Security Patch Day, a recurring update to the browser control Google Chromium delivered with SAP Business Client. The update brings the browser up to version 80, which was released in early February with patches for 56 vulnerabilities.

SAP also released four high-priority security notes, the most important of which patches a remote code execution vulnerability in Business Objects Business Intelligence Platform (Crystal Reports). Tracked as CVE-2020-6208, the security flaw has a CVSS score of 8.2.

Advertisement. Scroll to continue reading.

“Possible exploits range from unauthorized execution of arbitrary commands to completely crashing the application. Only the fact that the attacker needs to upload a malicious file to the platform before and that he or she must get another user to open the file prevents the issue from being rated with an even higher CVSS score,” Onapsis says.

Moreover, SAP patched a missing authorization check in Disclosure Management (CVE-2020-6209) and a denial of service (DoS) bug in BusinessObjects Mobile (CVE-2020-6196), both of which have a CVSS score of 7.5.

The fourth high-priority note is an update to a patch released in August 2018, and which addressed an SQL injection in SAP MaxDB/liveCache.

The remaining ten security notes released on this month’s Security Patch Day are medium priority and include three Cross-Site Scripting (XSS) flaws (in Commerce Cloud, NetWeaver, and Fiori Launchpad), missing XML validation (in NetWeaver), missing authorization checks (in ERP and S/4 HANA, and Treasury and Risk Management), and insufficient session expiration (in Enable Now Manager).

SAP also released four other security notes between the second Tuesday of the last month and the second Tuesday of this month, for a total of 22 security notes. One of these patches addresses a high-severity directory traversal in Environment Health and Safety that an attacker could exploit to read and/or overwrite arbitrary files on the remote server, Onapsis says.

Related: SAP Releases 13 Security Notes on February 2020 Patch Day

Related: SAP Releases 6 Security Notes on January 2020 Patch Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.