CVE-2020-6364
📋 TL;DR
CVE-2020-6364 is a critical OS command injection vulnerability in SAP Solution Manager and SAP Focused Run that allows attackers to execute arbitrary commands by manipulating cookies. This affects systems running WILY_INTRO_ENTERPRISE versions 9.7, 10.1, 10.5, and 10.7. Successful exploitation gives attackers complete control over the host running CA Introscope Enterprise Manager.
💻 Affected Systems
- SAP Solution Manager
- SAP Focused Run
- CA Introscope Enterprise Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to read/modify all files, execute arbitrary commands, install malware, pivot to other systems, and cause complete system unavailability.
Likely Case
Unauthenticated remote code execution leading to data theft, system manipulation, and potential ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, but still significant risk if perimeter controls fail.
🎯 Exploit Status
Public exploit code available since June 2021; exploitation requires only cookie manipulation via HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 2969828
Vendor Advisory: https://launchpad.support.sap.com/#/notes/2969828
Restart Required: Yes
Instructions:
1. Download and apply SAP Security Note 2969828. 2. Restart affected SAP services. 3. Verify patch application via version check.
🔧 Temporary Workarounds
Network Segmentation
linuxIsolate affected systems from untrusted networks and limit access to trusted IPs only.
iptables -A INPUT -p tcp --dport [SAP_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [SAP_PORT] -j DROP
Web Application Firewall Rules
allBlock malicious cookie patterns containing OS command injection attempts.
🧯 If You Can't Patch
- Immediately isolate affected systems from all networks except management access
- Implement strict network access controls and monitor all traffic to/from affected systems
🔍 How to Verify
Check if Vulnerable:
Check if running affected WILY_INTRO_ENTERPRISE versions 9.7, 10.1, 10.5, or 10.7 without SAP Note 2969828 applied.Check Version:
Check SAP system logs or administration console for WILY_INTRO_ENTERPRISE version informationVerify Fix Applied:
Verify SAP Note 2969828 is applied and system no longer executes commands via manipulated cookies.📡 Detection & Monitoring
Log Indicators:
- Unusual OS command execution in SAP logs
- Multiple failed authentication attempts followed by successful access
- Suspicious cookie values in web server logs
Network Indicators:
- HTTP requests with manipulated cookie parameters
- Outbound connections from SAP systems to unexpected destinations
SIEM Query:
source="sap_logs" AND ("os.execute" OR "Runtime.exec" OR suspicious_cookie_pattern)🔗 References
- http://packetstormsecurity.com/files/163153/SAP-Wily-Introscope-Enterprise-OS-Command-Injection.html
- http://seclists.org/fulldisclosure/2021/Jun/28
- https://launchpad.support.sap.com/#/notes/2969828
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- http://packetstormsecurity.com/files/163153/SAP-Wily-Introscope-Enterprise-OS-Command-Injection.html
- http://seclists.org/fulldisclosure/2021/Jun/28
- https://launchpad.support.sap.com/#/notes/2969828
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
