SAP Releases August 2020 Security Updates

SAP this week announced the release of 15 new Security Notes as part of the August 2020 SAP Security Patch Day, including some that address serious vulnerabilities in NetWeaver.

The most important of these is a cross-site scripting (XSS) flaw in the Knowledge Management component of NetWeaver. Tracked as CVE-2020-6284 and featuring Hot News priority, the issue has a CVSS score of 9.

A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to create and modify content and folders, as well as upload files.

The upload function, ERP cyber-security provider Onapsis reveals, could be exploited to upload malicious HTML files containing JavaScript code, to perform a stored XSS attack. The issue was related to an inefficient filtering mechanism meant to prevent the upload of files injected with executable code.

Successful exploitation of the vulnerability requires for a user with administrative privileges to access the malicious file, which lowers the CVSS score to 9 — otherwise it would have been 9.9.

Another Hot News Security Note released on this Security Patch Day is an update for a July 2020 Security Note that addresses a critical bug (CVSS score 10) in NetWeaver AS JAVA (LM Configuration Wizard) that is tracked as CVE-2020-6287 and which is also referred to as RECON (Remotely Exploitable Code On NetWeaver).

On the August 2020 Security Patch Day, SAP also released three High Priority Security Notes addressing vulnerabilities in NetWeaver: CVE-2020-6296 (CVSS score 8.3) – code injection in NetWeaver (ABAP) and ABAP Platform; CVE-2020-6309 (CVSS score 7.5) – missing authentication in NetWeaver AS JAVA; and CVE-2020-6293 (CVSS score 7.3) – unrestricted file upload in NetWeaver (Knowledge Management).

According to Onapsis, if a patch for the Hot News flaw in Knowledge Management is not applied, CVE-2020-6293 – which allows an attacker to create, modify, or delete files in the Knowledge Management component – can be exploited without authentication, which essentially increases its CVSS score to 9.6, making it a critical flaw.

SAP also released two High Priority Security Notes to patch missing authentication checks, one in the BusinessObjects Business Intelligence Platform – CVE-2020-6294 (CVSS score 8.5) – and another in Banking Services (Generic Market Data) – CVE-2020-6298 (CVSS score 8.3) – and another to resolve an information disclosure flaw in Adaptive Server Enterprise – CVE-2020-6295 (CVSS score 7).

Exploitation of some of these bugs could lead to denial of service, the leakage of mouse and keyboard activities and the ability to record screenshots, reading protected Business Partner Generic Market Data (GMD), or reading information in the installation log files.

All of the remaining Security Notes released on the August 2020 Security Patch Day address Medium Priority bugs, including XSS vulnerabilities in SAP Commerce, modified jQuery bundled with SAPUI5, and Business Objects Business Intelligence Platform (Central Management Console); information disclosure in Data Intelligence, and NetWeaver (ABAP Server) and ABAP Platform; and missing authorization checks in ERP (HCM Travel Management) and S/4 HANA (Fiori UI for General Ledger Accounting).

Related: SAP Releases 10 Security Notes on July 2020 Patch Day

Related: Critical Vulnerability Patched in SAP Commerce

Related: Open Source Tool Checks SAP Systems for RECON Attack IOCs