Patch Immediately: Critical Vulnerability In SAP® ABAP Systems (CVE-2020-6262)

news vulnerability

SEC Consult Vulnerability Lab discovered a critical code injection vulnerability (CVE-2020-6262) with a CVSSv3 Score of 9.9 in SAP® Service Data Download (a part of the SAP® Solution Manager Plugin ST-PI).

SAP flags banner image - SEC Consult

This vulnerability affects all SAP® ABAP servers that use the below mentioned components. It can be exploited over the network and allows an authenticated attacker to inject code into a standard ABAP application to control the behavior of the vulnerable component and thereby the entire SAP® Application Server ABAP.

The impact is of highest criticality as the vulnerability itself enables e.g.:

  • Unauthorized execution of arbitrary commands 
  • Disclosure of sensitive information
  • Denial of Service (DoS) attacks

Considering the impact, we advice all customers to implement note 2835979 as soon as possible.

As part of the SEC Consult responsible disclosure process this vulnerability was reported to SAP® by SEC Consult’s researchers (Alexander Meier and Fabian Hagg) immediately after discovery on 20th April 2020. Further detailed information will be published three months after patch release in accordance with SAP’s responsible disclosure guidelines.

We want to express our thanks to the folks at SAP®, especially the SAP® Product Security Response Team. They reacted fast for every inquiry and released a timely patch on the 12th May 2020.

Title Code Injection Vulnerability in Service Data Download
Type Code Injection/Remote Code Execution
CVSS v3 Vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v3 Score 9.9
CVE CVE-2020-6262
Affected Component SAP® Solution Tools Plug-In ST-PI
Affected Product SAP® Application Server ABAP, ST-PI versions- 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740
Available Patches https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 (Security Note 2835979)
  https://launchpad.support.sap.com/#/notes/2835979
   
Acknowledgement https://wiki.scn.sap.com/wiki/display/PSR/Acknowledgments+to+Security+Researchers
Release date patch 2020-05-12
Planned release date for detailed advisory 2020-08-12