CVE-2020-26808 – This CVE describes a code injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-26808?

CVE-2020-26808 has a CVSS score of 7.2 (HIGH). This CVE describes a code injection vulnerability in SAP AS ABAP(DMIS) and SAP S4 HANA(DMIS) that allows authenticated attackers to execute arbitrary code. The vulnerability affects confidentiality, integrity, and availability of the application. Only authenticated users can exploit this vulnerability.

📋 TL;DR

This CVE describes a code injection vulnerability in SAP AS ABAP(DMIS) and SAP S4 HANA(DMIS) that allows authenticated attackers to execute arbitrary code. The vulnerability affects confidentiality, integrity, and availability of the application. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

SAP AS ABAP(DMIS)
SAP S4 HANA(DMIS)

Versions: SAP AS ABAP(DMIS): 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA(DMIS): 101, 102, 103, 104, 105

Operating Systems: All supported SAP platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the affected SAP systems. DMIS component must be installed and active.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary code, access sensitive data, disrupt operations, and potentially pivot to other systems.

🟠

Likely Case

Data theft, application manipulation, or service disruption by authenticated malicious users or compromised accounts.

🟢

If Mitigated

Limited impact due to proper authentication controls, network segmentation, and monitoring preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing SAP systems with user accounts are vulnerable if patching is delayed.

🏢 Internal Only: HIGH - Internal authenticated users or compromised accounts can exploit this to gain elevated privileges and access sensitive business data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details and proof-of-concept code are publicly available. Requires authenticated access but technical complexity is moderate for attackers with SAP knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2973735

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2973735

Restart Required: Yes

Instructions:

1. Download SAP Note 2973735 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Restart the affected SAP systems. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Restrict Function Module Access

all

Apply authorization controls to limit access to vulnerable function modules

Use SAP transaction SU24 to adjust authorization objects for affected function modules

Network Segmentation

all

Isolate SAP systems from untrusted networks and implement strict firewall rules

🧯 If You Can't Patch

Implement strict access controls and monitor for suspicious activity by authenticated users
Deploy web application firewall (WAF) with SAP-specific rules to detect and block injection attempts

🔍 How to Verify

Check if Vulnerable:

Check SAP system version and verify if Security Note 2973735 is applied using transaction SNOTE

Check Version:

Execute transaction SM51 to check SAP system version and kernel release

Verify Fix Applied:

Verify Security Note 2973735 is successfully implemented and no errors in transaction SNOTE

📡 Detection & Monitoring

Log Indicators:

Unusual function module executions
Authorization failures for sensitive transactions
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual SAP protocol traffic patterns
Requests to vulnerable function modules from unexpected sources

SIEM Query:

source="sap_audit_log" AND (event_type="function_module_execution" AND module_name IN [vulnerable_modules])

📊 Metadata

CVE ID: CVE-2020-26808

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published: November 10, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/May/42 Exploit,Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/2973735 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 Vendor Advisory
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/May/42 Exploit,Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/2973735 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap As Abap\(dmis\) by Sap

Sap S4 Hana\(dmis\) by Sap

Sap S4 Hana\(dmis\) by Sap

Sap S4 Hana\(dmis\) by Sap

Sap S4 Hana\(dmis\) by Sap

Sap S4 Hana\(dmis\) by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Function Module Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export