3 critical flaws in SAP Solution Manager (SolMan); patch available

A group of specialists has revealed a method for exploiting multiple vulnerabilities in SAP Solution Manager (SolMan), which would allow root access to the affected enterprise servers. The research was revealed by Yvan Genuer and Pablo Artuso, of the firm Onapsis, during the Black Hat event.

SolMan is a centralized application for managing IT solutions on-premises, in the cloud, or in hybrid environments. This solution acts as a management tool for critical applications for multiple businesses, including SAP software and other companies.

Recent figures say that about 87% of the world’s top 2,000 companies use SAP solutions, so unpatched vulnerabilities could have serious consequences. With this in mind, Onapsis conducted a SolMan safety assessment that began a few months ago. According to the researchers, these flaws would allow unauthenticated threat actors to compromise almost any system connected to the platform.

SolMan works by linking software agents on SAP servers through the SMDAgent function, also known as the SAP Solution Manager Diagnostic Agent. SMDAgent facilitates instance communication and monitoring and is generally installed on servers running SAP applications.

SolMan can be accessed through its own server or SAPGui, providing access to at least 20 SMDAgent-related applications through HTTP GET, POST, or SOAP requests. Specialists discovered that End user Experience Monitoring (EEM) is a potentially vulnerable endpoint, as authentication is not required to access; EEM allows the SAP administrator to create scripts to emulate user actions.

Threat actors could exploit this flaw in conjunction with a disinfection error in JavaScript code to implement a malicious script on the affected function, which could compromise all systems connected to SolMan. The remote code execution flaw was tracked as CVE-2020-6207 and received a score of 10/10 on the Common Vulnerability Scoring System (CVSS).

Investigators also reported two other flaws at SolMan. The first, tracked as CVE-2020-6234, resides in SAP Host Agent and its exploitation would allow authenticated hackers to abuse the operations framework and obtain root user privileges. The other flaw, tracked as CVE-2020-6236, also resides in the Host Agent and allows malicious hackers to scale privileges on the affected system. Vulnerabilities could be exploited altogether, although no cases of active exploitation have been reported so far.

Security patches are now available, so SAP recommends upgrading as soon as possible.