Skip links

CVE-2020-26808 Code Injection in SAP AS ABAP and S/4 HANA (DMIS), SAP security note 2973735

Description

UPDATE 17th November 2020: This note has been re-released with updated ‘Support Packages & Patches’ information. For the release S4CORE 104, we added the support package SP00.

SAP AS ABAP and SAP S/4 HANA allows an authenticated attacker to inject arbitrary code in the application and change the course of execution. Due to lack of input validation, an attacker, who was granted access (S_RFC) to execute the function module can inject malicious ABAP code, which will be saved persistently in a report in the ABAP repository .

This report can then be executed by using the remote function module without additional authorization checks. The successful exploitation of the identified vulnerability can allow the attacker to take complete control of the affected system.

Available fix and Supported packages

  • DMIS | 2011_1_620 | 2011_1_620
  • DMIS | 2011_1_640 | 2011_1_640
  • DMIS | 2011_1_700 | 2011_1_700
  • DMIS | 2011_1_710 | 2011_1_710
  • DMIS | 2011_1_730 | 2011_1_730
  • DMIS | 2011_1_731 | 2011_1_731
  • DMIS | 2018_1_752 | 2018_1_752
  • DMIS | 2020 | 2020
  • S4CORE | 100 | 100
  • S4CORE | 101 | 101
  • S4CORE | 102 | 102
  • S4CORE | 103 | 103
  • S4CORE | 104 | 104
  • S4CORE | 105 | 105
  • DMIS 2018_1_752 | SAPK-20105INDMIS |
  • DMIS 2011_1_620 | SAPK-11120INDMIS |
  • DMIS 2011_1_640 | SAPK-11220INDMIS |
  • DMIS 2011_1_710 | SAPK-11420INDMIS |
  • DMIS 2011_1_730 | SAPK-11520INDMIS |
  • DMIS 2011_1_731 | SAPK-11620INDMIS |
  • DMIS 2011_1_700 | SAPK-11320INDMIS |
  • DMIS 2020 | SAPK-20201INDMIS |
  • | SAPK-123BHINSAPSCORE |
  • S4CORE 105 | SAPK-10501INS4CORE |
  • S4CORE 101 | SAPK-10110INS4CORE |
  • S4CORE 102 | SAPK-10208INS4CORE |
  • S4CORE 103 | SAPK-10306INS4CORE |
  • S4CORE 104 | SAPK-10404INS4CORE |

Affected component

    CA-LT-PCL
    Landscape Transformation – PCL Basis

CVSS

Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2973735

TAGS

#Command-Injection
#OS-command-injection
#insert-report
#Information-disclosure
#&160-CVE-2020-26808

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies