Security News > 2020 > August > If you haven't yet patched this critical hole in SAP NetWeaver Application Server, today is not your day
We hope you've patched CVE-2020-6262, aka note 2835979, that affects SAP NetWeaver Application Server ABAP, because the folks who found and reported the vulnerability are going public with the details.
The infosec biz's Alexander Meier and Fabian Hag found the security hole and reported it to SAP in April.
It was patched in May. This critical-severity bug - scoring 9.9 out of 10 on the CVSS v3 meter - can be exploited by a rogue authenticated user, or someone whose access has been hijacked, to inject arbitrary code into an application server.
It appears exploitation relies on the presence of the remote function module /SDF/GEN FUNCS FUNC CALL in a Netweaver installation; this module is used by SAP's Solution Manager admin tool to send ABAP commands to the application server.
The advisory includes proof-of-concept exploits to extract hashed passwords from an SAP system, delete essential system tables, and gain unlimited control over an installation.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/08/12/sap_netweaver_abap_bug/
Related news
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-05-12 | CVE-2020-6262 | Injection vulnerability in SAP Application Server Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. | 6.5 |