Researchers from security provider Onapsis presented a vulnerability in the SAP software Solution Manager (SolMan) at the Black Hat USA virtual conference. It allows attackers to compromise “every system” connected to the platform, including SAP ERP, CRM and HR, without entering login data.
SolMan serves as a centralized application for the administration of IT solutions, regardless of whether they are held in your own data center, in the cloud or in hybrid environments. For this reason, Onapsis decided last year to check the security of SolMan, which they consider to be the “technical heart of the SAP landscape”.
SolMan uses the SAP Solution Manager Diagnostic Agent for the communication and monitoring of instances. SolMan itself is operated via the SAPGui. The researchers examined a setup with the SMDAgent and around 60 applications, 20 of which were accessible via HTTP Get, HTTP Post or SOAP requests.
The vulnerability labeled CVE-2020-6207 can also be exploited remotely. In the Common Vulnerability Scoring System (CVSS) it is rated with ten out of ten possible points.
In addition, the researchers discovered two bugs in the SAP Host Agent with a CVSS score of 7.2. Attackers who already have administrator rights are able to extend these to root rights. If the three security gaps are linked, malicious code can be injected remotely and executed with root rights. This would give attackers complete control over all SMDAgents associated with SolMan.
According to the researchers, this would enable them to access user data, manipulate financial data or even switch off business-critical systems. The Walldorf software house has known the details of the vulnerabilities since December 2019 and February 2020, respectively. Fixes were published in March and April.
“SAP systems are complex and in most cases highly customer-specific, which makes the patch process very difficult,” explained the Onapsis researchers. “The SAP SolMan in particular is usually overlooked in terms of security due to the lack of business data. We hope that people will understand why securing the SAP SolMan should not be overlooked and is a priority to protect the entire SAP landscape and the company’s most important applications. “