Missing Authentication Check in SAP Solution Manager
Description
SAP Solution Manager version 7.2 contains a critical authentication bypass vulnerability in its User Experience Monitoring component. A service endpoint fails to perform authentication checks before processing requests, allowing unauthenticated remote attackers to interact with the system without providing valid credentials. This vulnerability affects all SAP Diagnostics (SMDAgent) instances that are connected to the vulnerable Solution Manager deployment.
Remediation
Apply the security patches released by SAP in the March 2020 Security Patch Day immediately. Follow these steps to remediate the vulnerability:
1. Review SAP Security Note 2890213 (associated with CVE-2020-6207) in the SAP Support Portal
2. Download and apply the appropriate support package or patch for SAP Solution Manager 7.2
3. Verify that authentication is properly enforced on the User Experience Monitoring service endpoints after patching
4. Review system logs for any suspicious activity or unauthorized access attempts prior to patching
5. If immediate patching is not possible, implement network-level access controls to restrict access to the Solution Manager service endpoints to trusted IP addresses only as a temporary mitigation
Consult the official SAP Security Patch Day documentation (March 2020) for detailed installation instructions and any additional configuration requirements.