Technical Articles
SAP Security Bug in SAP Solution Manager (JAVA stack)
Overview
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include missing authentication check vulnerabilities affecting SAP Solution Manager (JAVA stack).
Automated probes for servers containing a severe vulnerability (CVE-2020-6207) in SAP software have been detected a week after a working exploit was published online.
CVE (CVSS v3)
CVE-2020-6207 (CVSS 10.0)
→Publish of exploit code increases risk of attacks.
Product (Version)
SAP Solution Manager 7.2 or older
URL(s)
- https://us-cert.cisa.gov/ncas/current-activity/2020/11/10/sap-releases-november-2020-security-updates (CISA)
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 (SAP Advisory)
- https://www.zdnet.com/article/automated-exploit-of-critical-sap-solman-vulnerability-detected-in-the-wild/#ftag=RSSbaffb68(News EN)
Responses are required as soon as possible to 1), 2) and B) setting change or C) temporary system stop of 3) which is described below ASAP.
How to check them patch versions
Check the LM-SERVICE version in path below
start Page of Solution Manager Java system
-> System Information
-> Component information
-> find LM-SERVICE and check the version
(For example, 1000.7.20.11.5.XXXX, it means LM-SERVICE 7.20 SP11 Patch05)
If the patch level is lower than this definition, it is necessary to take countermeasures.
LM Service Component for JAVA Stack 7.20 SP10. [1000.7.20.10.0 è LM-SERVICE 7.20 SP10 Patch 0]
Please conduct the following countermeasures
- A) Upgrade Patch Level to the latest version
- B) If you cannot upgrade to the latest version of the patch level immediately, please change the following settings
Logon to SAP Net Weaver Administration on the SAP Solution Manager Java Stack, with SAP J2EE Admin user.
Navigate to Configuration > Infrastructure > Connectivity > Single Service Administration > Service Definitions.
Search for WSDL port Type with name ‘EemAdmin‘ and press ‘Go’.
Select it and display its configuration details in the lower ‘Details’ tab.
Press ‘Edit’ in the ‘Security’ tab of the EemAdminBeanPort and enable the following options in the Http Authentication section:
[x] User ID/Password
[ ] X.509 Client Certificate
[x] Logon Ticket
Then press save settings.
No restart is required.
- C) If you cannot upgrade or change the settings immediately shut down the system temporarily
After that, please update the latest version as soon as possible
Dumb question: Our SolMan instances have no exposure to the internet. Does that lessen the severity of this exploit?
Solution Manager is not frequently exposed to the internet, limiting the overall impact. However, this limitation does not preclude a local attacker from exploiting this flaw.
Good point! Thank you...