View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Horror SAP Bug (CVSS: 10) Gives Unauthenticated Attacker Admin Privileges

"An unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges"

By CBR Staff Writer

SAP has urged users to immediately patch a critical vulnerability, CVE-2020-6287, that gives a remote, unauthenticated attacker (no email, no password needed) unrestricted access to SAP systems with the ability to steal data, change financial details or simply bring systems to a juddering halt. Yes, it’s that bad.

The CVSS 10.0-rated SAP bug is is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and up to SAP NetWeaver 7.5. Some 40,000 customers are understood to be affected, with over 2,500 running systems directly exposed to the internet. These SAP applications are vulnerable:

  • SAP Enterprise Resource Planning,
  • SAP Product Lifecycle Management,
  • SAP Customer Relationship Management,
  • SAP Supply Chain Management,
  • SAP Supplier Relationship Management,
  • SAP NetWeaver Business Warehouse,
  • SAP Business Intelligence,
  • SAP NetWeaver Mobile Infrastructure,
  • SAP Enterprise Portal,
  • SAP Process Orchestration/Process Integration),
  • SAP Solution Manager,
  • SAP NetWeaver Development Infrastructure,
  • SAP Central Process Scheduling,
  • SAP NetWeaver Composition Environment, and
  • SAP Landscape Manager.

The SAP bug was identified by application security firm Onapsis, which has dubbed it RECON. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet, the US’s CISA agency warned today.

SAP Bug: CISA “Strongly Recommends” Immediate Patching

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, CISA strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.”

While no exploitation has been reported in the wild yet, it typically does not take long for security researchers to reverse engineer a patch in order to create exploits targeting the systems of those who do not patch promptly, as the recent F5 Networks BIG-IP bug’s fallout reflects. Detailed information for SAP customers is in security note 2934135.

Read this: F5 Mitigation Bypassed; 6,000 Still Vulnerable to Attack

Onapsis said: “The Onapsis Research Labs identified a serious zero-day vulnerability affecting a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, such as SAP SCM, SAP CRM, SAP Enterprise Portal, SAP Process Integration, SAP Solution Manager (SolMan) and many others.

“If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions) and gaining full control of SAP systems. The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees and customers.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

An attacker could:

  • Change banking details (account number, IBAN number, etc.)
  • Administer purchasing processes
  • Corrupting data or shut a system down completely
  • Perform unrestricted actions through OS command execution
  • Delete or modify traces, logs and other files

Onapsis Threat Report is here. This bug was first reported by Catalin Cimpanu for ZDNet. Oracle has also patched a series of CVSS 10.0 bugs today, as part of a mammoth 433 patch-drop to fix bugs across a range of products.

See also: Businesses Running Oracle: Get Ready for a Massive, Critical Patching Session

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU