Critical flaw gives attackers control of vulnerable SAP business applications

SAP has issued patches to fix a critical vulnerability (CVE-2020-6287) that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.

The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP HR Portal, and others.

About the vulnerability (CVE-2020-6287)

Discovered and reported by Onapsis researchers and dubbed RECON (which stands for Remotely Exploitable Code On NetWeaver), CVE-2020-6287 is due to the lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50. The vulnerability can be exploited through an HTTP interface – typically exposed to end users and often to the internet.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) explained.

Onapsis is set to release a report with more information about the flaw, but the CVSS base score it received (10.0) defines it as being easily remotely exploitable without prior authentication and without user interaction.

Patch quickly

The vulnerable component is used in many of SAP’s solutions: SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Enterprise Resource Planning (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal, SAP Solution Manager, and many others.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems,” the agency noted.

“Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.

Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.