SAP's "Active Directory-equivalent" has a CVSS 10-rated critical bug

Security experts warn that unpatched vulns remain better than 0days for attackers.

The bad news: a critical security vulnerability in a widely deployed SAP product can be exploited by remote unauthenticated attackers and gives them "basically limitless" privileges -- now a working proof of concept has been posted online, with scans for exposed ports mounting.

The good news: the affected product, SAP Solutions Manager (SolMan), is not typically exposed to the internet, the security researchers at Onapsis who found the bug note, saying "for most companies, [the] risk of this exploit should be mostly limited to internal attacks".

With attackers increasingly lingering on compromised networks for months, however, this gives them another comprehensive and easy-to-exploit new threat vector and opens a route to malicious internal attacks too. Those unpatched should do so urgently.

SAP Solution Manager 7.2 is vulnerable. Older versions are not affected.

The CVSS-10 rated vulnerability, tracked as CVE-2020-6207. "A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance" Onapsis' researches noted in a January 19 write-up. The impact of compromise could be particularly dmanaging as SAP SolMan is equivalent to Active Directory in Windows; centralising management of systems within an SAP landscape.

As Satnam Narang, a staff research engineer at cyber exposure management specialists Tenable notes: "Publication of a proof-of-concept exploit script poses significant challenges for cyber defenders.

"The flaw, identified as CVE-2020-6207, is a missing authentication vulnerability, meaning an attacker can authenticate to vulnerable systems by simply trying to connect... As we highlight in our 2020 Threat Landscape Retrospective report, unpatched vulnerabilities are much more valuable to cybercriminals than zero-day vulnerabilities."

See also: Pre-auth RCE vulnerabilities in Cisco’s SD-WAN give attackers root privileges.