The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency has issued an alert about a critical vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.
The flaw, tracked as CVE-2020-6287, can be exploited through HTTP and would allow an attacker to take full control of vulnerable SAP applications. The flaw was discovered by researchers at Onapsis who named the vulnerability RECON (Remotely Exploitable Code On NetWeaver). The flaw has been assigned the maximum CVSS v3 severity score of 10 out of 10 and affects more than a dozen SAP Java-based solutions.
SAP released a security update on July 13, 2020 to correct the flaw. Organizations that use SAP have been advised to apply the update as soon as possible to prevent exploitation, and to prioritize internet-facing systems then address internal systems.
CISA is unaware of any exploitation of the flaw in the wild, but since exploitation of the flaw would allow an attacker to gain access to SAP’s business applications and a host of sensitive data, it is only a matter of time before an exploit for the flaw is developed and used in real-world attacks.
Exploitation of the vulnerability would allow a remote attacker to obtain or modify financial records, change bank account information, obtain personally identifiable information, take control of purchasing processes, achieve operating system command execution, modify or delete files and logs, and sabotage or disrupt business operations. An attacker could, for instance, create a new user with maximum privileges after bypassing all access and authentication controls. The flaw can be exploited through an HTTP interface, which is usually available to end users, and in many cases is accessible over the internet.
The flaw affects SAP applications running on top of SAP NetWeaver AS Java, versions 7.3 to 7.5 and is due to a lack of authentication in the web component of SAP NetWeaver AS for Java. It has been estimated that around 40,000 users of SAP may be affected, 33% of whom are located in North America, 29% in Europe, and 27% in Asia-Pacific.
According to CISA, the flaw has been confirmed as affecting the following SAP solutions, although others may also be affected:
- SAP Enterprise Resource Planning
- SAP Product Lifecycle Management
- SAP Customer Relationship Management
- SAP Supply Chain Management
- SAP Supplier Relationship Management
- SAP NetWeaver Business Warehouse
- SAP Business Intelligence
- SAP NetWeaver Mobile Infrastructure
- SAP Enterprise Portal
- SAP Process Orchestration/Process Integration)
- SAP Solution Manager
- SAP NetWeaver Development Infrastructure
- SAP Central Process Scheduling
- SAP NetWeaver Composition Environment
- SAP Landscape Manager