CVE-2020-26837 – CVE-2020-26837 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-26837?

CVE-2020-26837 has a CVSS score of 9.1 (CRITICAL). CVE-2020-26837 is a path traversal vulnerability in SAP Solution Manager 7.2's User Experience Monitoring component that allows authenticated users to upload malicious scripts. This enables file system access, configuration modification, and service disruption. Organizations running SAP Solution Manager 7.2 with User Experience Monitoring enabled are affected.

📋 TL;DR

CVE-2020-26837 is a path traversal vulnerability in SAP Solution Manager 7.2's User Experience Monitoring component that allows authenticated users to upload malicious scripts. This enables file system access, configuration modification, and service disruption. Organizations running SAP Solution Manager 7.2 with User Experience Monitoring enabled are affected.

💻 Affected Systems

Products:

SAP Solution Manager

Versions: 7.2

Operating Systems: All platforms running SAP Solution Manager

Default Config Vulnerable: ⚠️ Yes

Notes: Requires User Experience Monitoring component to be enabled and authenticated user access.

📦 What is this software?

Solution Manager by Sap

View all CVEs affecting Solution Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including sensitive data exfiltration, configuration tampering leading to business disruption, and denial of service affecting critical SAP operations.

🟠

Likely Case

Unauthorized file access exposing sensitive configuration files, partial system modification, and intermittent service disruptions affecting monitoring capabilities.

🟢

If Mitigated

Limited impact due to network segmentation, strict authentication controls, and monitoring preventing successful exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2983204

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2983204

Restart Required: Yes

Instructions:

1. Download SAP Security Note 2983204 from SAP Support Portal. 2. Apply the note using SAP Solution Manager's maintenance tools. 3. Restart affected services. 4. Verify patch application through transaction SNOTE.

🔧 Temporary Workarounds

Disable User Experience Monitoring

all

Temporarily disable the vulnerable User Experience Monitoring component until patching can be completed.

Transaction SOLMAN_SETUP -> Configuration -> Disable User Experience Monitoring

Restrict User Privileges

all

Limit authenticated user access to only essential functions and implement least privilege principles.

Transaction PFCG -> Restrict roles for Solution Manager users

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP Solution Manager from critical systems
Enhance monitoring for file upload activities and path traversal attempts in application logs

🔍 How to Verify

Check if Vulnerable:

Check if SAP Solution Manager version is 7.2 and User Experience Monitoring is enabled via transaction SOLMAN_SETUP.

Check Version:

Transaction SM51 -> System -> Status -> Check component versions

Verify Fix Applied:

Verify SAP Security Note 2983204 is applied using transaction SNOTE and check note status.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activities in /usr/sap/trans directory
Path traversal patterns in web server logs
Unauthorized file access attempts in security audit logs

Network Indicators:

HTTP requests with directory traversal sequences to Solution Manager endpoints
Unusual file transfer patterns from Solution Manager servers

SIEM Query:

source="sap_logs" AND ("..\" OR "../" OR "%2e%2e") AND dest_port=80

📊 Metadata

CVE ID: CVE-2020-26837

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-22

Published: December 9, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163160/SAP-Solution-Manager-7.2-File-Disclosure-Denial-Of-Service.html Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jun/32 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/2983204 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 Vendor Advisory
http://packetstormsecurity.com/files/163160/SAP-Solution-Manager-7.2-File-Disclosure-Denial-Of-Service.html Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jun/32 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/2983204 Permissions Required,Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26837, you might also want to check these: