“An unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges”
SAP has urged users to immediately patch a critical vulnerability, CVE-2020-6287, that gives a remote, unauthenticated attacker (no email, no password needed) unrestricted access to SAP systems with the ability to steal data, change financial details or simply bring systems to a juddering halt. Yes, it’s that bad.
The CVSS 10.0-rated SAP bug is is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and up to SAP NetWeaver 7.5. Some 40,000 customers are understood to be affected, with over 2,500 running systems directly exposed to the internet. These SAP applications are vulnerable:
- SAP Enterprise Resource Planning,
- SAP Product Lifecycle Management,
- SAP Customer Relationship Management,
- SAP Supply Chain Management,
- SAP Supplier Relationship Management,
- SAP NetWeaver Business Warehouse,
- SAP Business Intelligence,
- SAP NetWeaver Mobile Infrastructure,
- SAP Enterprise Portal,
- SAP Process Orchestration/Process Integration),
- SAP Solution Manager,
- SAP NetWeaver Development Infrastructure,
- SAP Central Process Scheduling,
- SAP NetWeaver Composition Environment, and
- SAP Landscape Manager.
The SAP bug was identified by application security firm Onapsis, which has dubbed it RECON. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet, the US’s CISA agency warned today.
SAP Bug: CISA “Strongly Recommends” Immediate Patching
“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, CISA strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.”
While no exploitation has been reported in the wild yet, it typically does not take long for security researchers to reverse engineer a patch in order to create exploits targeting the systems of those who do not patch promptly, as the recent F5 Networks BIG-IP bug’s fallout reflects. Detailed information for SAP customers is in security note 2934135.
Onapsis said: “The Onapsis Research Labs identified a serious zero-day vulnerability affecting a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, such as SAP SCM, SAP CRM, SAP Enterprise Portal, SAP Process Integration, SAP Solution Manager (SolMan) and many others.
“If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions) and gaining full control of SAP systems. The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees and customers.”
An attacker could:
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Corrupting data or shut a system down completely
- Perform unrestricted actions through OS command execution
- Delete or modify traces, logs and other files
Onapsis Threat Report is here. This bug was first reported by Catalin Cimpanu for ZDNet. Oracle has also patched a series of CVSS 10.0 bugs today, as part of a mammoth 433 patch-drop to fix bugs across a range of products.