As part of the SAP Security Patch Day in August 2020, SAP revealed this week the publication of 15 new Security Notes, including some covering significant vulnerabilities in NetWeaver.
The most important of these is a cross-site scripting (XSS) flaw in NetWeaver’s Knowledge Management feature. Tracked as CVE-2020-6284 and with priority in Hot News, the problem has a score of 9 in CVSS.
Knowledge management, a default feature of all SAP Enterprise Portal installations, allows users to manage multiform data sources, build and change content and directories, and upload files.
The upload feature, reveals ERP cyber-security provider Onapsis, could be exploited to upload JavaScript code containing malicious HTML files to execute a stored XSS attack. The problem was due to an ineffective filtering system designed to prevent the upload of files with executable code inserted.
Successful exploitation of the vulnerability requires access to the malicious file by a user with administrative privileges that reduces the CVSS score to 9 — otherwise it would have been 9.9.
Another Hot News Security Note published on this Security Patch Day is an update to a July 2020 Security Note addressing a critical bug (CVSS score 10) in NetWeaver AS JAVA (LM Configuration Wizard) that is tracked as CVE-2020-6287 and also called RECON (Remotely Exploitable Code On NetWeaver).
SAP also published three High Priority Security Notes on the August 2020 Security Patch Day addressing vulnerabilities in NetWeaver: CVE-2020-6296 (CVSS score 8.3) – code injection in NetWeaver (ABAP) and ABAP Platform; CVE-2020-6309 (CVSS score 7.5) – missing authentication in NetWeaver AS JAVA; and CVE-2020-6293 (CVSS score 7.3) – uncontrolled upload of files to NetWeaver (Knowledge Management).
According to Onapsis, if a fix for the Knowledge Management Hot News bug is not implemented, then CVE-2020-6293 – which enables an intruder to build, change or remove files in the Knowledge Management portion – may be exploited without authentication, which significantly increases its CVSS score to 9.6, making it a critical bug.
SAP also published two High Priority Security Notes for patching incomplete authentication tests, one on the Business Objects Business Intelligence System – CVE-2020-6294 (CVSS score 8.5) – and one on the Banking Services (Generic Market Data) – CVE-2020-6298 (CVSS score 8.3) – and the other on the Adaptive Server Enterprise (CVSS score 7).
Exploitation of any of these bugs may lead to denial of service, leakage of mouse and keyboard activities and capability to record screenshots, reading Secure Business Partner Generic Market Data (GMD), or reading information in the installation log files.
All remaining Security Notes issued on Security Patch Day in August 2020 fix medium priority bugs, including XSS vulnerabilities in SAP Commerce, updated jQuery bundled with SAPUI5, and Business Objects Business Intelligence Platform (Central Management Console); disclosure of information in Data Intelligence, and NetWeaver (ABAP Server) and ABAP Platform; and incomplete authorization testing in ERP (HCM Travel Management) and S/4 HANA (Fiori UI for General Ledger Accounting).
