A new highly critical vulnerability was patched by SAP, that affected the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which could permit an unauthenticated attacker to take control of SAP applications.
The bug tracked as CVE-2020-6287 and dubbed RECON is rated with a maximum CVSS score of 10 out of 10. It potentially affects more than 40,000 SAP customers.
The vulnerability was disclosed by the cybersecurity firm Onapsis.
The US Cybersecurity and Infrastructure Security Agency (CISA) stated in an advisory that if successfully exploited, a remote, unauthenticated attacker could easily get unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.
BY default the vulnerability resides in SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer (up to SAP NetWeaver 7.5), putting several SAP business solutions at risk, including but not limited to SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management, SAP Business Intelligence, and SAP Enterprise Portal.
Onapsis said that RECON is caused due to a lack of authentication in the web component of the SAP NetWeaver AS for Java, allowing an attacker to perform high-privileged activities on the susceptible SAP system.
It is possible for a remote, unauthenticated attacker to exploit this vulnerability through an HTTP interface, which is usually exposed to end users and in several cases exposed to the internet.
The attacker can exploit the flaw and create new SAP user with maximum privileges and can then compromise SAP installations to execute arbitrary commands, such as modifying or extracting highly sensitive information as well as disrupting critical business processes.
There is no proof of any active exploitation of the vulnerability. Due to the severity of RECON, it is highly recommended that organizations must apply critical patches at the earliest.
The users are also advised to scan SAP systems for vulnerabilities and analyze systems for malicious or excessive user authorizations.
Image Credits : National Cybersecurity News