Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

CVE-2020-26808 Code Injection in SAP AS ABAP and S/4 HANA (DMIS), SAP security note 2973735

Description

UPDATE 17th November 2020: This note has been re-released with updated ‘Support Packages & Patches’ information. For the release S4CORE 104, we added the support package SP00.

SAP AS ABAP and SAP S/4 HANA allows an authenticated attacker to inject arbitrary code in the application and change the course of execution. Due to lack of input validation, an attacker, who was granted access (S_RFC) to execute the function module can inject malicious ABAP code, which will be saved persistently in a report in the ABAP repository .

This report can then be executed by using the remote function module without additional authorization checks. The successful exploitation of the identified vulnerability can allow the attacker to take complete control of the affected system.

Available fix and Supported packages

  • DMIS | 2011_1_620 | 2011_1_620
  • DMIS | 2011_1_640 | 2011_1_640
  • DMIS | 2011_1_700 | 2011_1_700
  • DMIS | 2011_1_710 | 2011_1_710
  • DMIS | 2011_1_730 | 2011_1_730
  • DMIS | 2011_1_731 | 2011_1_731
  • DMIS | 2018_1_752 | 2018_1_752
  • DMIS | 2020 | 2020
  • S4CORE | 100 | 100
  • S4CORE | 101 | 101
  • S4CORE | 102 | 102
  • S4CORE | 103 | 103
  • S4CORE | 104 | 104
  • S4CORE | 105 | 105
  • DMIS 2018_1_752 | SAPK-20105INDMIS |
  • DMIS 2011_1_620 | SAPK-11120INDMIS |
  • DMIS 2011_1_640 | SAPK-11220INDMIS |
  • DMIS 2011_1_710 | SAPK-11420INDMIS |
  • DMIS 2011_1_730 | SAPK-11520INDMIS |
  • DMIS 2011_1_731 | SAPK-11620INDMIS |
  • DMIS 2011_1_700 | SAPK-11320INDMIS |
  • DMIS 2020 | SAPK-20201INDMIS |
  • | SAPK-123BHINSAPSCORE |
  • S4CORE 105 | SAPK-10501INS4CORE |
  • S4CORE 101 | SAPK-10110INS4CORE |
  • S4CORE 102 | SAPK-10208INS4CORE |
  • S4CORE 103 | SAPK-10306INS4CORE |
  • S4CORE 104 | SAPK-10404INS4CORE |

Affected component

    CA-LT-PCL
    Landscape Transformation – PCL Basis

CVSS

Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2973735

TAGS

#Command-Injection
#OS-command-injection
#insert-report
#Information-disclosure
#&160-CVE-2020-26808

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.