Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news.

The most important of the notes address critical (hot news) missing authorization checks in Solution Manager. The first of them, CVE-2020-6207, features a CVSS score of 10 and impacts User-Experience Monitoring, while the second, CVE-2020-6198, features a CVSS score of 9.8 and impacts Diagnostics Agent.

Providing central management for SAP and non-SAP systems, Solution Manager requires the installation of Solution Manager Diagnostic Agent (SMDAgent) on each host. The agent is in charge of the management of communications, monitoring and diagnostic feedback.

Due to CVE-2020-6207, when default configurations were used, an unauthenticated remote attacker could execute operating system commands as the SMDAgent on each host. The attacker could then exploit other vulnerabilities to potentially gain access to the full SAP landscape.

By exploiting CVE-2020-6198, an attacker could bypass authentication, meaning that anyone with access to the network could mount an attack, even if they are not a valid Solution Manager user. Due to exploitation not requiring any kind of privileges, the bug is considered critical severity, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

Additionally, SAP addressed a path manipulation flaw in NetWeaver UDDI Server (Services Registry). Tracked as CVE-2020-6203, it features a CVSS score of 9.1. This is a directory traversal issue caused by the incorrect validation of the path provided by a user when importing UDDI content via the Services Registry.

A fourth hot news security note was included in this month’s Security Patch Day, a recurring update to the browser control Google Chromium delivered with SAP Business Client. The update brings the browser up to version 80, which was released in early February with patches for 56 vulnerabilities.

SAP also released four high-priority security notes, the most important of which patches a remote code execution vulnerability in Business Objects Business Intelligence Platform (Crystal Reports). Tracked as CVE-2020-6208, the security flaw has a CVSS score of 8.2.

“Possible exploits range from unauthorized execution of arbitrary commands to completely crashing the application. Only the fact that the attacker needs to upload a malicious file to the platform before and that he or she must get another user to open the file prevents the issue from being rated with an even higher CVSS score,” Onapsis says.

Moreover, SAP patched a missing authorization check in Disclosure Management (CVE-2020-6209) and a denial of service (DoS) bug in BusinessObjects Mobile (CVE-2020-6196), both of which have a CVSS score of 7.5.

The fourth high-priority note is an update to a patch released in August 2018, and which addressed an SQL injection in SAP MaxDB/liveCache.

The remaining ten security notes released on this month’s Security Patch Day are medium priority and include three Cross-Site Scripting (XSS) flaws (in Commerce Cloud, NetWeaver, and Fiori Launchpad), missing XML validation (in NetWeaver), missing authorization checks (in ERP and S/4 HANA, and Treasury and Risk Management), and insufficient session expiration (in Enable Now Manager).

SAP also released four other security notes between the second Tuesday of the last month and the second Tuesday of this month, for a total of 22 security notes. One of these patches addresses a high-severity directory traversal in Environment Health and Safety that an attacker could exploit to read and/or overwrite arbitrary files on the remote server, Onapsis says.

Related: SAP Releases 13 Security Notes on February 2020 Patch Day

Related: SAP Releases 6 Security Notes on January 2020 Patch Day