SAP Host Control Local Privilege Escalation

A malicious authenticated attacker, with privileges of SAP SMD Agent access, can exploit certain SAP Host Control functions due to missing input checking, in order to escalate its privileges and execute commands as root/system user. SAPHOSTAGENT versions 7.21 SP045 and lower are affected.

MD5 | cd82c2decad0c6dcc50f95839bfbec49

# Onapsis Security Advisory 2021-0002: [CVE-2020-6234] - SAP Multiple root
LPE through SAP Host Control

## Impact on Business

A malicious authenticated attacker, with privileges of SAP SMD Agent
access, can exploit
certain SAP Host Control functions due to missing input checking, in order
to escalate its
privileges and execute commands as root/system user.

## Advisory Information

- Security Advisory ID: ONAPSIS-2021-0002
- Vulnerability Submission ID: 802, 803, 804
- Researcher(s): Pablo Artuso, Yvan Genuer

## Vulnerability Information

- Vendor: SAP
- Affected Components:
- SAPHOSTAGENT 7.21 SP045 and lower

(Check SAP Note 2902645 for detailed information on affected releases)
- Vulnerability Class: [CWE-78] Improper Neutralization of Special Elements
in an OS Command
- CVSS v3 score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- Risk Level: High
- Assigned CVE: CVE-2020-6234
- Vendor patch Information: SAP Security NOTE 2902645

## Affected Components Description

The SAP Host Agent is an agent which allows controlling and monitoring SAP
and non-SAP instances.

## Vulnerability Details

Some processes part of the SAP Host Agent run as root. This product is
usually installed
automatically when a new SAP system is installed. In order to expose its
the SAP Host Agent provides a SOAP interface, on ports 1128 or 1129 (TLS).
Every function exposed by this service requires high privileges.

If an attacker gets privileges of SAP SMD Agent OS user, it will be able to
interact with
the Host Agents’ exposed SOAP interface, allowing them to execute any
functionality. Because
of a lack of sanitization of certain parameters, several exposed functions
were vulnerable
to OS command injection. As some of these functions are executed with
root/system privileges,
it is possible to perform a local privilege escalation from SAP SMD Agent
user to root/system.

## Solution
SAP has released SAP Note 2902645 which provide patched versions of the
affected components.

The patches can be downloaded from

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

## Report Timeline

- 12/09/2019 - Onapsis provides details to SAP
- 01/12/2020 - SAP provides update: "Vulnerability in progress".
- 02/10/2020 - SAP provides update: "Vulnerability in progress".
- 03/09/2020 - SAP Provides update: "Vulnerability In progress".
- 04/13/2020 - SAP releases SAP Security note addressing the issue.

## References

- Onapsis blogpost:
- Black Hat 2020 presentation (white paper, slides and video):
- CVE Mitre:
- Vendor Patch:

## About Onapsis Research Labs

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

Find all reported vulnerabilities at

## About Onapsis, Inc.

Onapsis protects the mission-critical applications that run the
global economy, from the core to the cloud. The Onapsis Platform
uniquely delivers actionable insight, secure change, automated
governance and continuous monitoring for critical systems—ERP,
CRM, PLM, HCM, SCM and BI applications—from leading vendors
such as SAP, Oracle, Salesforce and others.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg,
Germany and Buenos Aires, Argentina. We proudly serve more than 300
of the world’s leading brands, including 20% of the Fortune 100, 6
of the top 10 automotive companies, 5 of the top 10 chemical companies,
4 of the top 10 technology companies and 3 of the top 10 oil and gas

The Onapsis Platform is powered by the Onapsis Research Labs,
the team responsible for the discovery and mitigation of more than
800 zero-day vulnerabilities in mission-critical applications.
The reach of our threat research and platform is broadened through
leading consulting and audit firms such as Accenture, Deloitte, IBM,
PwC and Verizon—making Onapsis solutions the standard in helping
organizations protect their cloud, hybrid and on-premises mission-critical
information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly

Related Posts