A team of enterprise resource planning security experts in Massachusetts have identified a functional exploit affecting SAP that is publicly available.
The exploit was discovered by Onapsis Research Labs on code-hosting platform GitHub, where it had been published by Russian researcher Dmitry Chastuhin on January 14. Researchers said the exploit can be used against SAP SolMan, the administrative system used in every SAP environment that is similar to Active Directory in Windows.
The fully functional exploit abuses United States' National Vulnerability Database listing CVE-2020-6207, a vulnerability in which SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check, does not perform any authentication for a service. This vulnerability results in the complete compromise of all SMDAgents connected to the Solution Manager.
A successful attack exploiting this vulnerability could impact an organization's cybersecurity and regulatory compliance by placing its mission-critical data, SAP applications, and business process at risk.
"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited," wrote Onapsis researchers.
"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."
Because it was created to centralize the management of all SAP and non-SAP systems, SolMan has trusted connections with multiple systems. An attacker that could gain access to SolMan could potentially compromise any business system connected to it.
"Unfortunately, since it doesn't hold any business information, SAP SolMan is often overlooked in terms of security; in some companies, it does not follow the same patching policy as other systems," noted researchers.
An attacker with SAP SolMan control could shut down systems, access sensitive data, delete data, cause IT control deficiencies, and assign superuser privileges to any new or existing user.
"It is not possible to list everything that can potentially be done in the systems if exploited, since having admin privileged control in the systems or running OS commands basically make it limitless for an attacker," wrote researchers.
Sap commented: “SAP Product Security Response Team frequently collaborates with research companies to ensure responsible disclosure of vulnerabilities. The vulnerability in question has been fixed on SAP Security Patch Day – March 2020. We strongly advise our customers to secure their SAP landscape by applying the security note 2890213 from the SAP Support Portal.”