Aperçu
SAP Solution Manager 7.2 contains a critical remote command execution vulnerability caused by missing authentication checks in the SAP EEM (Enterprise Event Management) servlet. Attackers can execute arbitrary OS commands and perform Server-Side Request Forgery (SSRF) attacks by sending specially crafted SOAP requests without any authentication. La vulnérabilité a été divulguée le March 10, 2020. CISA a identifié CVE-2020-6207 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The SAP EEM servlet in Solution Manager 7.2 fails to properly validate and authenticate incoming SOAP requests. The vulnerable endpoint accepts unauthenticated SOAP messages that can be weaponized to execute arbitrary operating system commands on the underlying server. Additionally, the same authentication bypass can be leveraged to perform SSRF attacks, allowing attackers to make requests to internal systems and services from the perspective of the vulnerable SAP application.
La vulnérabilité est classifiée comme CWE-306 (Missing Authentication for Critical Function) , CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-918 (Server-Side Request Forgery (SSRF)) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An attacker without authentication can gain complete control over the SAP Solution Manager server by executing arbitrary operating system commands with the privileges of the application server process. This allows for data exfiltration, system compromise, lateral movement within the network, and disruption of services. The SSRF capability enables attackers to access and attack internal systems that are only reachable from the compromised server, potentially compromising other SAP systems and critical infrastructure.
Mitigation et contournements
SAP recommends upgrading to SAP Solution Manager 7.2 SP09 Patch 04 or later. Apply the security patch provided in SAP Security Note 2904267. Ensure all supporting components are updated to compatible versions. Les versions suivantes incluent les correctifs nécessaires : SAP Solution Manager 7.2 SP09 Patch 04, SAP Solution Manager 7.2 SP10 and later.
Comme contournements temporaires : implement network-level access controls to restrict access to the sap solution manager instance. use a web application firewall (waf) or reverse proxy to block unauthenticated soap requests to the eem servlet endpoint (typically /service/sap/bc/soap endpoints).; disable or restrict the eem servlet if it is not actively being used in the environment., et isolate the sap solution manager instance on a restricted network segment and limit outbound connectivity to prevent ssrf attacks from reaching internal systems..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
