Security News > 2020 > August > If you haven't yet patched this critical hole in SAP NetWeaver Application Server, today is not your day

If you haven't yet patched this critical hole in SAP NetWeaver Application Server, today is not your day
2020-08-12 09:59

We hope you've patched CVE-2020-6262, aka note 2835979, that affects SAP NetWeaver Application Server ABAP, because the folks who found and reported the vulnerability are going public with the details.

The infosec biz's Alexander Meier and Fabian Hag found the security hole and reported it to SAP in April.

It was patched in May. This critical-severity bug - scoring 9.9 out of 10 on the CVSS v3 meter - can be exploited by a rogue authenticated user, or someone whose access has been hijacked, to inject arbitrary code into an application server.

It appears exploitation relies on the presence of the remote function module /SDF/GEN FUNCS FUNC CALL in a Netweaver installation; this module is used by SAP's Solution Manager admin tool to send ABAP commands to the application server.

The advisory includes proof-of-concept exploits to extract hashed passwords from an SAP system, delete essential system tables, and gain unlimited control over an installation.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/12/sap_netweaver_abap_bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-05-12 CVE-2020-6262 Code Injection vulnerability in SAP Application Server
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application.
network
low complexity
sap CWE-94
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 329 25 680 386 113 1204