SAP ERP application security solutions provider Onapsis Inc. released a cybersecurity news alert on Tuesday, 19 January detailing a new SAP functional exploit affecting SAP Solution Manager 7.2 (SAP SolMan), publicly released online on GitHub.
According to the Onapsis report, the new exploit abuses an SAP vulnerability—a missing authentication check in the EEM Manager component on SAP SolMan. This vulnerability is rated with the highest possible CVSSv3 score of 10.0 and was reported to SAP by Onapsis Researchers Pablo Artuso and Yvan Genuer.
Sebastian Bortnik, Director of Research at Onapsis, points out why this particular exploit poses a critical risk for SAP customers:
“While exploits are released regularly online, this hasn’t been the case for SAP vulnerabilities, for which publicly available exploits have been limited. The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.”
Security Repercussions on SAP SolMan
SAP SolMan is an SAP platform that covers the complete application lifecycle managment of customers’ IT solutions (both SAP and non-SAP software) running on-premise, hybrid or in the cloud.
The application is used to centralise the management of both SAP and non-SAP IT systems within a customers’ SAP environment. SAP SolMan performs several administrative functions, such as maintenance of all enterprise mission-critical SAP applications (enterprise resource planning, customer relations management, business intelligence, etc.).
A successful attack exploiting the EEM Manager vulnerability can lead to unauthenticated remote attackers getting complete administrative privileges on SAP SolMan. According to Onapsis, if this happens, all IT systems connected to SolMan could be compromised, allowing remote unauthenticated attackers to perform malicious tasks such as causing IT control deficiencies, assigning a superuser or deleting any data in the SAP systems that can cause critical business impacts, including:
- compromised financial integrity and privacy leading to regulatory compliance violations such as SOX, GDPR, HIPAA etc.
- loss of key data leading to severe business disruptions
- release of sensitive employee and customer data from the database
How to Stay Secure
Bortnik notes that for most companies, the risk of this new SAP exploit should be mostly limited to internal attacks since an attacker would need network visibility to SAP SolMan (which is not frequently exposed to the Internet).
Furthermore, SAP customers who have applied the SAP Security Note #2890213 patch are not vulnerable. According to Onapsis, the best way for users to check if their IT systems are vulnerable is to confirm first if the patch was properly applied or not.
Meanwhile, customers using the Onapsis platform can easily check their SolMan systems by running an assessment on their SolMan assets or by directly checking the output of recent scans.
About Onapsis Inc.
Onapsis is headquartered in Boston, MA, USA with offices in Heidelberg, Germany and Buenos Aires, Argentina. The cybersecurity company serves more than 300 of the world’s leading brands, including 20{8bf2b29f36318f0ac46ab1cc03d7035abce669a1cea16c9ed62389a818fa22fd} of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies and 3 of the top 10 oil and gas companies.
The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications.