CVE-2020-6318: SAP Patches Code Injection Flaw in SAP NetWeaver (ABAP Server)

On September 8, SAP published 16 security notes for its September Security Patch Day, also known as SPD, which coincides with Microsoft’s Patch Tuesday release. Of the 16 notes that were listed in September, 6 of them were updates to previously released security notes.

One of the more important notes this month is a fix for CVE-2020-6318, a code injection vulnerability in SAP NetWeaver designated as High priority, as it received a CVSSv3 score of 9.1. Based on its security note, SAP says that an attacker that exploits this vulnerability could “take complete control of products” that includes “viewing, changing, or deleting data” in the application’s “working memory,” which is “subsequently executed by the application.”

SAP specifies that the vulnerability exists in “some function modules” for SAP Business Warehouse, but notes that because the vulnerability is “platform specific,” it only affects its Advanced Business Application Programming (ABAP) servers such as DB4 and Sybase. 

As part of the security note, SAP stresses that this vulnerability is “not relevant” for ABAP for Cloud Environment and that its attack vector “cannot be executed in SAP cloud products.”

In July, SAP released a security note for CVE-2020-6287, a critical vulnerability in SAP NetWeaver’s Application Server JAVA (AS JAVA) that was dubbed “RECON” by the researchers who discovered it. Unlike the RECON vulnerability, which was the result of a “complete lack of authentication” in the configuration wizard component of NetWeaver AS JAVA, CVE-2020-6318 requires an attacker to be authenticated, thus limiting its overall impact.

At the time the security note was released, no proof of concept code was available for CVE-2020-6318. Tenable’s Security Response Team will continue to monitor for additional information related to this vulnerability.