'Patch critical SAP RECON vulnerability immediately', urges CISA

The bug could enable a remote, unauthenticated attacker to gain control of SAP applications and steal data

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organisations to patch a critical vulnerability, which could allow attackers to take control of trusted SAP applications.

On Monday, CISA issued an alert advising organisations to immediately patch their internet-facing as well as internal systems.

According to CISA, the vulnerability, indexed as CVE-2020-6287, affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. It could enable a remote, unauthenticated attacker to gain control of SAP applications and steal or alter data, after exploiting the flaw through the Hypertext Transfer Protocol (HTTP).

After successfully exploiting the bug, the attacker can create high-privileged users and execute arbitrary OS commands with the privileges of the SAP service user account having unrestricted access to the SAP database.

On Monday, SAP released a patch for the vulnerability as part of is July patch update round.

Onapsis Research Labs, which uncovered the flaw, has named it RECON (Remotely Exploitable Code On NetWeaver). The company warned that the bug, which has a CVSS score of 10 out of 10, could affect more than 40,000 SAP customers worldwide.

The flaw exists by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).

Potentially vulnerable business solutions include any SAP Java-based solutions, such as:

• SAP Product Lifecycle Management
• SAP Enterprise Resource Planning
• SAP Supplier Relationship Management
• SAP Supply Chain Management
• SAP Customer Relationship Management
• SAP NetWeaver Business Warehouse
• SAP NetWeaver Mobile Infrastructure
• SAP Business Intelligence
• SAP Solution Manager
• SAP Enterprise Portal
• SAP NetWeaver Development Infrastructure
• SAP Process Orchestration/Process Integration
• SAP NetWeaver Composition Environment
• SAP Landscape Manager
• SAP Central Process Scheduling

"The impact of this flaw is what makes it different from other SAP vulnerabilities," said Onapsis' Pablo Artuso, who discovered the bug.

"Because it resides in a common layer, it means that several SAP products are vulnerable — not only internet-facing products, but also ones that are highly connected with other SAP systems such as Solution Manager."

Organisations that are currently unable to patch their systems are advised to mitigate the vulnerability by disabling the LM Configuration Wizard service.

CISA also recommends admins to closely monitor their SAP NetWeaver AS for any anomalous activity.

CISA said that it unaware of any active exploitation of the bug by attackers. But, attackers can reverse-engineer the publicly available patch to create exploits to target unpatched systems in coming days, the agency warned.

Threat intelligence firm Bad Packets also stated that they have detected active reconnaissance scans currently underway to exploit vulnerable systems.