Governance & Risk Management , IT Risk Management , Patch Management

Users Urged to Patch Critical Flaw in SAP NetWeaver AS

If Exploited, Attackers Could Gain Full Control of Sensitive Operations
Users Urged to Patch Critical Flaw in SAP NetWeaver AS

Cybersecurity experts are pushing organizations to immediately patch a critical zero-day vulnerability in SAP's NetWeaver Application Server because threat actors are likely searching for networks that are susceptible to the flaw, dubbed CVE-2020-6287.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

On Wednesday, security firm Bad Packets spotted a proof-of-concept exploit for this SAP vulnerability, although the researcher who posted it on GitHub stressed it's for education and testing purposes only.

SAP NetWeaver Application Server is widely used - often as the framework to help protect an organization's most important data, according to the Cybersecurity and Infrastructure Security Agency, which issued an alert about the flaw on Monday. The vulnerability, which is also called RECON, is in SAP NetWeaver Application Server Java component LM Configuration Wizard versions 7.30, 7.31, 7.40 and 7.50.

"Due to the criticality of this vulnerability, the attack surface this vulnerability represents and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency strongly recommends organizations immediately apply patches,” the CISA advisory states. “CISA recommends organizations prioritize patching internet-facing systems, and then internal systems."

This is the second time in less than two months SAP has had to patch critical vulnerabilities. In June, researchers at the security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).

Potential Exploits

Bob Huber, CSO at security firm Tenable, notes that exploiting this latest vulnerability could give an attacker control over extremely sensitive operations.

"The SAP Netweaver vulnerability could impact over 40,000 enterprises globally and would give adversaries free rein over mission-critical applications, including supply chain management and enterprise resource planning," Huber tells Information Security Media Group.

A full, malicious exploit has not been spotted in the wild, but one could quickly emerge, says Casey Ellis, CTO and founder of bug hunting firm Bugcrowd.

"Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting," Ellis says.

RECON Details

The CISA alert notes that the vulnerability was identified in a component that is part of the SAP NetWeaver AS Java. This technology stack is part of the SAP Solution Manager, which is a support and system management suite. The vulnerability is viable due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, which allows for several high-privileged activities on the SAP system.

"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications," CISA warns.

If an organization cannot immediately patch this vulnerability, CISA recommends mitigating the vulnerability by disabling the LM Configuration Wizard service. If this cannot be done or is expected to take more than 24 hours to complete, CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity.

Compliance Issues

Patching is also a priority because any organization that is compromised could find itself open to regulatory consequences for violating the U.S. Sarbanes-Oxley Act or the European Union's General Data Protection Regulation, Huber says.

"This vulnerability would give cybercriminals access to highly sensitive and private data, with potential economic, physical and social consequences. This includes theft of IP and trade secrets, releasing fraudulent payments and modifying financial records," Huber says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.