Black Hat: How hackers gain root access to SAP enterprise servers through SolMan

Researchers demonstrated how the SAP Solution Manager could provide a bridge to full server access.

Honeywell Connected Enterprise CEO Que Dallara on industrial IoT, SAP partnership

Researchers have demonstrated how a set of vulnerabilities in SAP Solution Manager could be exploited to obtain root access to enterprise servers. 

Speaking at Black Hat USA on Wednesday, Onapsis cybersecurity researchers Pablo Artuso and Yvan Genuer explained how the bugs were found in SAP Solution Manager (SolMan), a system comparable to Windows Active Directory. 

SolMan is a centralized application designed to manage IT solutions on-premise, in the cloud, or in hybrid environments. The integrated solution acts as a management tool for business-critical applications, including SAP and non-SAP software.

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

An estimated 87% of the Global 2000 uses SAP in some way, and so vulnerabilities left unpatched could have severe consequences. With this in mind, Onapsis Research Labs conducted a security assessment of SolMan in 2019.

According to the cybersecurity firm, the vulnerabilities found in SolMan -- called the "technical heart of the SAP landscape" by Onapsis -- could allow unauthenticated attackers to compromise "every system" connected to the platform, including SAP ERP, CRM, HR, and more. 

SolMan operates by linking to software agents on SAP servers via a function called SMDAgent, otherwise known as the SAP Solution Manager Diagnostic Agent. SMDAgent facilitates communication and instance monitoring and is generally installed on servers running SAP applications. 

SolMan itself can be accessed via its own server or the SAPGui. The team tested a SolMan setup and apps related to SMDAgent, and in total, roughly 60 applications were accounted for, and over 20 of them were accessible via HTTP GET, POST, or SOAP requests. 

One application, SolMan's End user Experience Monitoring (EEM), was found to be a potentially vulnerable endpoint as it does not require authentication to access. EEM allows SAP administrators to create scripts to emulate user actions and deploy them to EEM robots present in other systems.

Therefore, in tandem with a lack of sanitization noted in expression JavaScript code, it would be possible for unauthenticated attackers to deploy a malicious script to this function for execution without authentication -- compromising all SMDAgents connected to SolMan. 

This remote code execution (RCE) vulnerability has been assigned CVE-2020-6207 and a CVSS score of 10.0. 

Onapsis also uncovered two other vulnerabilities in SolMan. The first, tracked as CVE-2020-6234 (CVSS: 7.2), was found in the SAP Host Agent and permitted threat actors who had already obtained administrator privileges to abuse the operation framework to gain root-level privileges.

The other vulnerability of note is CVE-2020-6236 (CVSS: 7.2), which was also found in the SAP Host Agent. This bug existed in the SAP Landscape Management and SAP Adaptive Extensions modules specifically and also permitted privilege escalation as long as an attacker possessed admin_group privileges.

Chaining these vulnerabilities could give remote attackers the ability to execute files -- including malicious payloads -- as a root user, granting them overall control of SMDAgents connected to SolMan. 

CNET: The best home security camera of 2020

Speaking to ZDNet, Onapsis said that while SolMan does not generally hold business data in itself, the system is always connected to other production satellites and so the successful compromise of this component could have severe consequences for an enterprise at large. 

After hijacking SolMan, unauthenticated attackers could read and modify financial records or bank details, access user data, close down business-critical systems at will, and potentially "expand attacks beyond SAP scope as root/system accessed is achieved," according to the team. 

CVE-2020-6207 was reported to SAP on February 2 and by February 12, the bug was confirmed and an internal tracking number was issued. Onapsis then worked with the tech giant to provide additional technical details, leading to a fix on March 10. 

CVE-2020-6234 and CVE-2020-6236 were disclosed privately to SAP on December 9, 2019. These issues took longer to resolve and it was not until April 4 that a CVSS severity score was agreed. A patch was provided on April 13. 

TechRepublic: Security analysts: Industry has not solved the talent gap or provided clear career paths

"SAP systems are complex and in most cases highly customized making the patch process much more difficult," Onapsis researchers told ZDNet. "SAP SolMan, in particular, is usually overlooked when it comes to security, due to its lack of business data. We hope [...] that people will understand why securing SAP SolMan should not be overlooked and be a priority to keeping the entire SAP landscape and the organization's most critical applications protected."

In July, SAP released a fix for RECON (CVE-2020-6287), a CVSS 10.0 critical vulnerability also found by Onapsis. If exploited, the vulnerability -- found within the SAP NetWeaver Java technology stack -- allows attackers to create SAP user accounts with full privileges for SAP applications exposed to the Internet. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0