CVE-2020-26823 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-26823?

CVE-2020-26823 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows unauthenticated attackers to compromise SAP Solution Manager systems due to missing authorization checks in the Upgrade Diagnostics Agent Connection Service. Attackers can impact system integrity and availability, affecting all organizations running the vulnerable version without proper network controls.

📋 TL;DR

This vulnerability allows unauthenticated attackers to compromise SAP Solution Manager systems due to missing authorization checks in the Upgrade Diagnostics Agent Connection Service. Attackers can impact system integrity and availability, affecting all organizations running the vulnerable version without proper network controls.

💻 Affected Systems

Products:

SAP Solution Manager (JAVA stack)

Versions: Version 7.20

Operating Systems: All supported OS for SAP Solution Manager

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations; no special configuration required for exploitation.

📦 What is this software?

Solution Manager by Sap

View all CVEs affecting Solution Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, disrupt operations, and potentially pivot to other systems in the SAP landscape.

🟠

Likely Case

Service disruption and unauthorized access to sensitive diagnostic data, potentially leading to further exploitation of the SAP environment.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent unauthenticated access to the vulnerable service.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible if service is exposed to the internet.

🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization checks make exploitation straightforward for attackers who can reach the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2985866

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2985866

Restart Required: Yes

Instructions:

1. Download SAP Note 2985866 from SAP Support Portal. 2. Apply the security patch following SAP's standard patching procedures. 3. Restart the affected SAP Solution Manager services.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to the Upgrade Diagnostics Agent Connection Service to only trusted hosts.

Use firewall rules to block external access to port 50013 (default Diagnostics Agent port)

Service Disablement

all

Temporarily disable the vulnerable Upgrade Diagnostics Agent Connection Service if not required.

Consult SAP documentation for service disablement procedures specific to your installation

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP Solution Manager from untrusted networks
Monitor for unusual connections to the Diagnostics Agent service and implement intrusion detection rules

🔍 How to Verify

Check if Vulnerable:

Check if SAP Solution Manager version is 7.20 and SAP Note 2985866 is not applied. Review system logs for unauthorized access attempts to the Diagnostics Agent service.

Check Version:

Use SAP transaction SM51 or check the SAP system information in the SAP GUI

Verify Fix Applied:

Verify SAP Note 2985866 is applied successfully and test that unauthenticated access to the Upgrade Diagnostics Agent Connection Service is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated connection attempts to the Upgrade Diagnostics Agent service
Unusual process execution or service restarts

Network Indicators:

Unexpected traffic to port 50013 from unauthorized sources
Anomalous network patterns to/from SAP Solution Manager

SIEM Query:

source_port:50013 AND (NOT user_authenticated:true) OR event_description:"Upgrade Diagnostics Agent" AND result:"failure"

📊 Metadata

CVE ID: CVE-2020-26823

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-306

Published: November 10, 2020

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/2985866 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2985866 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26823, you might also want to check these: