SAP has released a patch for a critical vulnerability in its SolMan Diagnostic Agent (SMDAgent), which manages the monitoring and diagnostics events communications between every SAP system and Solution Manager.
The SAP vulnerability, which has a CVSS score of 9.1, was disclosed by security research Yvan Genuer, from Boston-based cybersecurity firm Onapsis. He said that an attacker could bypass the system’s whitelisting processes using a custom crafted payload that would offer “full control” over a given SAP system.
Onapsis explained: “Using its basic functionality, a SolMan admin can execute OS commands through a GAP_ADMIN transaction, in order to perform analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory.”
“This SAP vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload.
“Using this technique the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access sensitive information (such as credentials and critical business information), changing application configurations or even stopping SAP services. As previously mentioned, the SDMAgent must be installed in every SAP system in order to perform diagnostic tasks, so the scope of an attack is broad, as it could affect the entire landscape.”
It was not immediately clear what privileges were necessary to begin the exploit. Computer Business Review has requested further information.
The vulnerability, CVE-2019-0330, was one of nine patched by SAP this week.
The only other (CVE-2019-0328), high priority patch was for a code injection vulnerability in the Extended Computer Aided Test Tool (eCATT). This is used for automatic testing in SAP business processes. Exploitation of this vulnerability has a critical impact on the system’s integrity and availability since malicious commands that could be executed run with a high privileged user.
SAP has patches available now.