Onapsis Identifies New Bug that Could Compromise SAP's Corporate Servers

According to Onapsis, RECON is caused due to a lack of authentication in the web component of the SAP NetWeaver AS for Java.

FREMONT, CA: SAP has patched a critical vulnerability that impacts the LM Configuration Wizard component in the NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to control SAP applications. According to the cybersecurity firm, the bug dubbed as RECON and tracked as CVE-2020-6287 was rated with a maximum CVSS score, a 10 out of 10, potentially affecting over 40,000 SAP customers Onapsis, which uncovered the flaw.

"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications," read a statement by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability," the statement added.

For SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer (up to SAP NetWeaver 7.5), the vulnerability is present by default. This puts several SAP business solutions at risk, including but not limited to SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management, SAP Business Intelligence, and SAP Enterprise Portal.

According to Onapsis, RECON is caused due to a lack of authentication in the web component of the SAP NetWeaver AS for Java. This allows an attacker to perform high-privileged activities on the susceptible SAP system. "A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet," CISA stated.

By exploiting the flaw to create a new SAP user with the highest privileges, the intruder will be able to compromise SAP installations to execute arbitrary commands, such as modifying or extracting highly sensitive information and disrupting critical business processes. While there is no evidence of active exploitation of the vulnerability, CISA has cautioned that the patches' availability could make it easier for adversaries to reverse-engineer the flaw to create exploits and target unpatched systems.