what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SAP SMD Agent Unauthenticated Remote Code Execution

SAP SMD Agent Unauthenticated Remote Code Execution
Posted Apr 6, 2021
Site onapsis.com

A malicious unauthenticated user could abuse the lack of authentication check on SAP Solution Manager User-Experience Monitoring web service, allowing them to remotely execute commands in all hosts connected to the targeted SolMan through these SMD Agents. Affected versions include SAP Solution Manager SP004 Patch 0011 and lower, SP005 Patch 0012 and lower, SP006 Patch 0013 and lower, SP007 Patch 0019 and lower, SP008 Patch 0015 and lower, SP009 Patch 0007 and lower, SP010 Patch 0001 and lower, and SP011 Patch 0003 and lower.

tags | advisory, web
advisories | CVE-2020-6207
SHA-256 | 94be7ba8ead02fd704ccc6de5168f891e45a52684ab49fb4c32ac5a07ed7b27c

SAP SMD Agent Unauthenticated Remote Code Execution

Change Mirror Download
# Onapsis Security Advisory 2021-0001: [CVE-2020-6207] - Unauthenticated
RCE in SAP all SMD Agents connected to SAP SolMan

## Impact on Business

A malicious unauthenticated user could abuse the lack of authentication
check on SAP Solution Manager User-Experience Monitoring web service,
allowing them to remotely execute commands in all hosts connected to the
targeted SolMan through these SMD Agents.

## Advisory Information

- Security Advisory ID: ONAPSIS-2021-0001
- Vulnerability Submission ID: 819
- Researcher(s): Pablo Artuso, Yvan Genuer

## Vulnerability Information

- Vendor: SAP
- Affected Components:

- SAP Solution Manager SP004 Patch 0011 and lower
- SAP Solution Manager SP005 Patch 0012 and lower
- SAP Solution Manager SP006 Patch 0013 and lower
- SAP Solution Manager SP007 Patch 0019 and lower
- SAP Solution Manager SP008 Patch 0015 and lower
- SAP Solution Manager SP009 Patch 0007 and lower
- SAP Solution Manager SP010 Patch 0001 and lower
- SAP Solution Manager SP011 Patch 0003 and lower

(Check SAP Note 2890213 for detailed information on affected releases)

- Vulnerability Class: [CWE-306] Missing Authentication for Critical
Function
- CVSS v3 score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Severity: Critical
- Assigned CVE: CVE-2020-6207
- Vendor patch Information: SAP Security NOTE 2890213

## Affected Components Description

SAP SolMan 7.2 introduces a bunch of web services which run on top of the
SAP
Java NetWeaver stack. The affected versions have a vulnerable web service
exposed without authentication.

## Vulnerability Details

The EemAdminService/EemAdmin web service endpoint, which is exposed by
default
in SolMan 7.2, does not require user authentication when someone tries to
use it.
As a SOAP endpoint, any unauthenticated attacker just with HTTP(s) access
to the
system will be able to send particular crafted SOAP messages in order to
make use
of the different actions that this endpoint provides.

This web service, present only in the Solution Manager, allows users to
upload scripts
that will be afterwards executed in the SMD agents connected to the
targeted SolMan.
Because of a lack of sanitization, it is possible to craft particular
scripts that
could end up executing OS commands with SMD Agent user privileges.

## Solution

SAP has released SAP Note 2890213 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2890213.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

## Report Timeline

- 02/05/2020 - Onapsis provides vulnerability details to SAP
- 02/07/2020 - SAP provides internal tracking number
- 02/12/2020 - SAP provides update: Vulnerability confirmed – fix in
progress
- 03/10/2020 - SAP releases SAP Note fixing the issue. Vulnerability is now
closed

## References

- Onapsis blogpost: https://onapsis.com/blog/sap-security-notes-mar-2020
- Black Hat 2020 presentation (white paper, slides and video):
-
https://www.blackhat.com/us-20/briefings/schedule/#an-unauthenticated-journey-to-root-pwning-your-companys-enterprise-software-servers-19964
- CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6207
- Vendor Patch: https://launchpad.support.sap.com/#/notes/2890213

## About Onapsis Research Labs

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

Find all reported vulnerabilities at
https://github.com/Onapsis/vulnerability_advisories

## About Onapsis, Inc.

Onapsis protects the mission-critical applications that run the
global economy, from the core to the cloud. The Onapsis Platform
uniquely delivers actionable insight, secure change, automated
governance and continuous monitoring for critical systems—ERP,
CRM, PLM, HCM, SCM and BI applications—from leading vendors
such as SAP, Oracle, Salesforce and others.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg,
Germany and Buenos Aires, Argentina. We proudly serve more than 300
of the world’s leading brands, including 20% of the Fortune 100, 6
of the top 10 automotive companies, 5 of the top 10 chemical companies,
4 of the top 10 technology companies and 3 of the top 10 oil and gas
companies.

The Onapsis Platform is powered by the Onapsis Research Labs,
the team responsible for the discovery and mitigation of more than
800 zero-day vulnerabilities in mission-critical applications.
The reach of our threat research and platform is broadened through
leading consulting and audit firms such as Accenture, Deloitte, IBM,
PwC and Verizon—making Onapsis solutions the standard in helping
organizations protect their cloud, hybrid and on-premises mission-critical
information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us
at https://www.onapsis.com.

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close