ID CVE-2020-6207 Type cve Reporter cve@mitre.org Modified 2020-03-12T13:48:00
Description
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
{"id": "CVE-2020-6207", "bulletinFamily": "NVD", "title": "CVE-2020-6207", "description": "SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.", "published": "2020-03-10T21:15:00", "modified": "2020-03-12T13:48:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6207", "reporter": "cve@mitre.org", "references": ["https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305", "https://launchpad.support.sap.com/#/notes/2890213"], "cvelist": ["CVE-2020-6207"], "type": "cve", "lastseen": "2021-02-02T07:37:11", "edition": 6, "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "thn", "idList": ["THN:A7AA3AE7A696436A10F01A7B17DFFA4E"]}, {"type": "nessus", "idList": ["SAP_SOLUTION_MANAGER_2890213.NASL"]}], "modified": "2021-02-02T07:37:11", "rev": 2}, "score": {"value": 3.3, "vector": "NONE", "modified": "2021-02-02T07:37:11", "rev": 2}, "twitter": {"counter": 58, "tweets": [{"link": "https://twitter.com/securitytrails/status/1353356935328788481", "text": "A fully functional exploit made by researcher /_chipik was published on GitHub that takes advantage of a SAP bug, noted as CVE-2020-6207\n\n/hashtag/SAP?src=hashtag_click /hashtag/bug?src=hashtag_click /hashtag/exploit?src=hashtag_click"}, {"link": "https://twitter.com/Sjgowing1/status/1354422914276151301", "text": "CVE-2020-6207: Proof of Concept Available for Missing Authentication Vulnerability in SAP Solution Manager"}, {"link": "https://twitter.com/trip_elix/status/1353422359739428865", "text": "\"Here's a PoC to exploit missing authentication checks (CVE-2020-6207) in SAP EEM servlet, leading to RCE on SAP SMDAgents connected to SAP Solution Manager.\n\nhttps://t.co/KSfTHFwMMG?amp=1\n\nvia /_chipik \""}, {"link": "https://twitter.com/pythontrending/status/1354440670765850632", "text": "SAP_EEM_CVE-2020-6207 - PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)"}, {"link": "https://twitter.com/Art_Capella/status/1353317893220438016", "text": "CVE-2020-6207: Proof of Concept Available for Missing Authentication Vulnerability in SAP Solution Manager"}, {"link": "https://twitter.com/AusRealNews/status/1353423161673453568", "text": "RT TheHackersNews \"Here's a PoC to exploit missing authentication checks (CVE-2020-6207) in SAP EEM servlet, leading to RCE on SAP SMDAgents connected to SAP Solution Manager.\n\nhttps://t.co/KmO1qWbmoT?amp=1\n\nvia /_chipik \" Stay up-to-date: https://t.co/m6tBp3CEQb?amp=1"}, {"link": "https://twitter.com/campuscodi/status/1353253705399767040", "text": "Onapsis says it has detected active probes for CVE-2020-6207 after an exploit was published online earlier this month\n\nhttps://t.co/1mMwac5KmV?amp=1\n\nPoC was here: https://t.co/j8yy8rgo69?amp=1"}, {"link": "https://twitter.com/motakasoft/status/1354995201308168201", "text": "GitHub Trending Archive, 27 Jan 2021, Python. chipik/SAP_EEM_CVE-2020-6207, darrenmartyn/VisualDoor, ahmedkhlief/APT-Hunter, MTK-bypass/bypass_utility, Chia-Network/chia-blockchain, nicksawhney/bernie-sits, AdamGold/Dryvo, demisto/content https://t.co/APG71IhNaV?amp=1"}, {"link": "https://twitter.com/kyrilka/status/1356861785748475904", "text": "Need protection for SAP Solution Manager Remote Code Execution Vulnerability (CVE-2020-6207)?\n\n /hashtag/trendmicro?src=hashtag_click /hashtag/virtualpatching?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click"}, {"link": "https://twitter.com/SniffOutStocks/status/1362265981066776581", "text": "CVE-2020-6207: Proof of Concept Available for Missing Authentication Vulnerability in SAP Solution Manager https://t.co/IfHEBDBwig?amp=1"}], "modified": "2021-02-02T07:37:11"}, "vulnersScore": 3.3}, "cpe": ["cpe:/a:sap:solution_manager:7.20"], "affectedSoftware": [{"cpeName": "sap:solution_manager", "name": "sap solution manager", "operator": "eq", "version": "7.20"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*"], "cwe": ["CWE-306"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://launchpad.support.sap.com/#/notes/2890213", "refsource": "MISC", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2890213"}, {"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305", "refsource": "MISC", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"}]}
{"thn": [{"lastseen": "2021-01-24T04:27:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-6207"], "description": "[](<https://thehackernews.com/images/-TP5Z2UvGZxw/YAvgBnM6X4I/AAAAAAAADsw/Z2AvMeqPHSowGI_r4G-7wJCVq0RpRaj1QCLcBGAsYHQ/s0/sap.jpg>)\n\nCybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise software.\n\nThe exploit leverages a vulnerability, tracked as [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), that stems from a missing authentication check in SAP Solution Manager (SolMan) version 7.2\n\nSAP [SolMan](<https://support.sap.com/en/alm/solution-manager.html>) is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments, acting as a centralized hub for implementing and maintaining SAP systems such as ERP, CRM, HCM, SCM, BI, and others.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\n\"A successful exploitation could allow a remote unauthenticated attacker to execute highly privileged administrative tasks in the connected [SAP SMD Agents](<https://wiki.scn.sap.com/wiki/display/SM/Solution+Manager+Diagnostics>),\" researchers from Onapsis [said](<https://onapsis.com/blog/new-sap-exploit-published-online-how-stay-secure>), referring to the Solution Manager Diagnostics toolset used to analyze and monitor SAP systems.\n\nThe vulnerability, which has the highest possible CVSS base score of 10.0, was addressed by SAP as part of its [March 2020](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305>) updates.\n\n[](<https://thehackernews.com/images/-wZmwY_o-L-s/YAvfPXDl9iI/AAAAAAAADso/kDzPp0nPzMslP37Pivnpf5oO7ZlkncWjwCLcBGAsYHQ/s0/sap-software.jpg>)\n\nExploitation methods leveraging the flaw were later demonstrated at the [Black Hat conference](<https://www.blackhat.com/us-20/briefings/schedule/index.html#an-unauthenticated-journey-to-root-pwning-your-companys-enterprise-software-servers-19964>) last August by Onasis researchers Pablo Artuso and Yvan Genuer to highlight possible attack techniques that could be devised by rogue parties to strike SAP servers and obtain root access.\n\nThe critical flaw resided in SolMan's [User Experience Monitoring](<https://support.sap.com/en/alm/solution-manager/expert-portal/user-experience-monitoring.html>) (formerly End-user Experience Monitoring or EEM) component, thus putting every business system connected to the Solution Manager at risk of a potential compromise.\n\nThe public availability of a Proof-of-Concept (PoC) exploit code, therefore, leaves unpatched servers exposed to a number of potential malicious attacks, including:\n\n * Shutting down any SAP system in the landscape\n * Causing IT to control deficiencies impacting financial integrity and privacy, leading to regulatory compliance violations\n * Deleting any data in the SAP systems, causing business disruptions\n * Assigning superuser privileges to any existing or new user, allowing those users to run critical operations, and\n * Reading sensitive data from the database\n\n\"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited,\" Onasis researchers said.\n\n\"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-01-24T03:35:45", "published": "2021-01-23T08:43:00", "id": "THN:A7AA3AE7A696436A10F01A7B17DFFA4E", "href": "https://thehackernews.com/2021/01/beware-fully-functional-released-online.html", "type": "thn", "title": "Beware! Fully-Functional Exploit Released Online for SAP Solution Manager Flaw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-30T13:26:41", "description": "The version of SAP Solution Manager SAP on the remote host may be affected by a missing authentication vulnerability \nin the End user Experience Monitoring (EEM) function due to a lack of authentication checks for a service. An\nunauthenticated, remote attacker can exploit this issue to compromise all SMDAgents connected to the Solution Manager.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-28T00:00:00", "title": "SAP Solution Manager Missing Authentication (2890213)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-6207"], "modified": "2021-01-28T00:00:00", "cpe": ["cpe:/a:sap:netweaver_solution_manager"], "id": "SAP_SOLUTION_MANAGER_2890213.NASL", "href": "https://www.tenable.com/plugins/nessus/145532", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145532);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\"CVE-2020-6207\");\n\n script_name(english:\"SAP Solution Manager Missing Authentication (2890213)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP Solution Manager may be affected by a missing authentication vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of SAP Solution Manager SAP on the remote host may be affected by a missing authentication vulnerability \nin the End user Experience Monitoring (EEM) function due to a lack of authentication checks for a service. An\nunauthenticated, remote attacker can exploit this issue to compromise all SMDAgents connected to the Solution Manager.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/2890213\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6207\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_solution_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_solution_manager_web_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/SAP Solution Manager\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\napp_name = 'SAP Solution Manager';\napp_info = vcf::get_app_info(app:app_name);\n\n# paranoid since we can't see the patch level\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nif (app_info['version'] =~ \"^7.2\") {\n sps = app_info['SPS'];\n sps_fix = '12';\n if(!empty_or_null(sps) && ver_compare(ver:sps, fix:sps_fix) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, app_name, app_info['version'] + ' SP' + sps);\n}\n\nconstraints = [{ 'min_version' : '7.2', 'fixed_version' : '7.3', 'fixed_display' : 'Refer to vendor advisory'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
