# Onapsis Security Advisory 2021-0001: [CVE-2020-6207] - Unauthenticated
RCE in SAP all SMD Agents connected to SAP SolMan

## Impact on Business

A malicious unauthenticated user could abuse the lack of authentication
check on SAP Solution Manager User-Experience Monitoring web service,
allowing them to remotely execute commands in all hosts connected to the
targeted SolMan through these SMD Agents.

## Advisory Information

- Security Advisory ID: ONAPSIS-2021-0001
- Vulnerability Submission ID: 819
- Researcher(s): Pablo Artuso, Yvan Genuer

## Vulnerability Information

- Vendor: SAP
- Affected Components:

  - SAP Solution Manager SP004 Patch 0011 and lower
  - SAP Solution Manager SP005 Patch 0012 and lower
  - SAP Solution Manager SP006 Patch 0013 and lower
  - SAP Solution Manager SP007 Patch 0019 and lower
  - SAP Solution Manager SP008 Patch 0015 and lower
  - SAP Solution Manager SP009 Patch 0007 and lower
  - SAP Solution Manager SP010 Patch 0001 and lower
  - SAP Solution Manager SP011 Patch 0003 and lower

  (Check SAP Note 2890213 for detailed information on affected releases)

- Vulnerability Class: [CWE-306] Missing Authentication for Critical
Function
- CVSS v3 score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Severity: Critical
- Assigned CVE: CVE-2020-6207
- Vendor patch Information: SAP Security NOTE 2890213

## Affected Components Description

SAP SolMan 7.2 introduces a bunch of web services which run on top of the
SAP
Java NetWeaver stack. The affected versions have a vulnerable web service
exposed without authentication.

## Vulnerability Details

The EemAdminService/EemAdmin web service endpoint, which is exposed by
default
in SolMan 7.2, does not require user authentication when someone tries to
use it.
As a SOAP endpoint, any unauthenticated attacker just with HTTP(s) access
to the
system will be able to send particular crafted SOAP messages in order to
make use
of the different actions that this endpoint provides.

This web service, present only in the Solution Manager, allows users to
upload scripts
that will be afterwards executed in the SMD agents connected to the
targeted SolMan.
Because of a lack of sanitization, it is possible to craft particular
scripts that
could end up executing OS commands with SMD Agent user privileges.

## Solution

SAP has released SAP Note 2890213 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2890213.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

## Report Timeline

- 02/05/2020 - Onapsis provides vulnerability details to SAP
- 02/07/2020 - SAP provides internal tracking number
- 02/12/2020 - SAP provides update: Vulnerability confirmed – fix in
progress
- 03/10/2020 - SAP releases SAP Note fixing the issue. Vulnerability is now
closed

## References

- Onapsis blogpost: https://onapsis.com/blog/sap-security-notes-mar-2020
- Black Hat 2020 presentation (white paper, slides and video):
-
https://www.blackhat.com/us-20/briefings/schedule/#an-unauthenticated-journey-to-root-pwning-your-companys-enterprise-software-servers-19964
- CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6207
- Vendor Patch: https://launchpad.support.sap.com/#/notes/2890213

## About Onapsis Research Labs

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

Find all reported vulnerabilities at
https://github.com/Onapsis/vulnerability_advisories

## About Onapsis, Inc.

Onapsis protects the mission-critical applications that run the
global economy, from the core to the cloud. The Onapsis Platform
uniquely delivers actionable insight, secure change, automated
governance and continuous monitoring for critical systems—ERP,
CRM, PLM, HCM, SCM and BI applications—from leading vendors
such as SAP, Oracle, Salesforce and others.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg,
Germany and Buenos Aires, Argentina. We proudly serve more than 300
of the world’s leading brands, including 20% of the Fortune 100, 6
of the top 10 automotive companies, 5 of the top 10 chemical companies,
4 of the top 10 technology companies and 3 of the top 10 oil and gas
companies.

The Onapsis Platform is powered by the Onapsis Research Labs,
the team responsible for the discovery and mitigation of more than
800 zero-day vulnerabilities in mission-critical applications.
The reach of our threat research and platform is broadened through
leading consulting and audit firms such as Accenture, Deloitte, IBM,
PwC and Verizon—making Onapsis solutions the standard in helping
organizations protect their cloud, hybrid and on-premises mission-critical
information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us
at https://www.onapsis.com.

-- 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.