• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
07.14.20

Vulnerability SPOT Report

SAP RECON Vulnerability

By Britton Grim

In May, security researchers at Onapsis discovered a vulnerability referred to as RECON (Remotely Exploitable Code On NetWeaver). CVE-2020-6287 has a critical CVSS score of 10 and is centered around SAP NetWeaver AS JAVA (LM Configuration Wizard) which could affect every SAP application that utilizes the NetWeaver AS Java technology stack. This could allow a remote, unauthenticated attacker to create a new SAP administrative user and gain full control of the system.

Potential Impact

The successful exploitation of CVE-2020-6287 could result in the full administrative takeover of a device without the need for authentication. This would allow a remote attacker to both perform any operations against the system (viewing, modifying, or deleting records or files within the database) as well as the ability to cover their tracks by further deleting or modifying logs to obscure or hide their activity.

The NetWeaver AS Java technology stack vulnerability is present in many SAP applications, however, only versions 7.30 to 7.50 are vulnerable. The list of affected applications include Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Enterprise Portal, HR Portal, Supplier Relationship Management (SRM), S/4HANA, Customer Relationship Management (CRM), Process Integration (PI), Process Orchestration (PO), Composition Environment (CE), NetWeaver Mobile Infrastructure (MI), Development Infrastructure (NWDI) and Solution Manager (SolMan) are affected.

Given the breadth of the attack surface for SAP products incorporating this technology stack, and the potential for business critical data (not to mention PII) to be exposed, modified, or deleted, this is a vulnerability organizations will not want to sleep on.

Mitigation

SAP released patches yesterday, July 13th, to address the RECON vulnerability and recommends organizations review SAP Security Note #2934135 (linked below) to apply critical patches as soon as possible via the SAP One Support Launchpad. If you are a deepwatch VM customer, deepwatch can locate devices that may contain this vulnerability.  deepwatch recommends, as always, testing patches thoroughly prior to deployment into production environments. However, with the business criticality of the SAP applications enumerated as affected, we fully recommend assessing your environment as soon as possible to manage your risk effectively.

Affected versions of SAP are as follows:

SAP applications running on top of SAP NetWeaver AS Java 7.3 up to SAP NetWeaver 7.5 are affected by default. SAP business solutions that include any SAP Java-based solutions include those such as:

  • SAP Enterprise Resource Planning
  • SAP Product Lifecycle Management
  • SAP Customer Relationship Management
  • SAP Supply Chain Management
  • SAP Supplier Relationship Management
  • SAP NetWeaver Business Warehouse
  • SAP Business Intelligence
  • SAP NetWeaver Mobile Infrastructure
  • SAP Enterprise Portal
  • SAP Process Orchestration/Process Integration
  • SAP Solution Manager
  • SAP NetWeaver Development Infrastructure
  • SAP Central Process Scheduling
  • SAP NetWeaver Composition Environment
  • SAP Landscape Manager

Detection

Vulnerability Management

  • For Qualys, QID 13849 will detect CVE-2020-6287
  • At the time of writing, Tenable has not yet released a Plugin ID for this vulnerability

deepwatch will continue to monitor the SAP vulnerability and integrate detections into its respective customer offerings as further detection capabilities become available. Please contact your squad leads if you have further questions.

Managing Risk

At time of writing the only way to manage the risk is to implement the patch for SAP software that has been provided by the vendor.

Supporting Information

  • https://www.onapsis.com/recon-sap-cyber-security-vulnerability
  • https://us-cert.cisa.gov/ncas/alerts/aa20-195a
  • https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Britton Grim

Britton Grim is a VM Engineer for deepwatch’s Vulnerability Management services. He has held roles such as Program Manager of vulnerability management services, lead digital forensics investigator, and senior incident response analyst in the past and uses this experience to better assist customers in securing their environments. He is a Tenable Certified MSSP Engineer and Qualys Certified Specialist.

Related Posts

Vulnerability SPOT Report

02.25.21

CVE-2021-21972 - Vulnerability Found in VMware vCenter Servers and Cloud Foundation

read more

Vulnerability SPOT Report

01.27.21

Sudo Vulnerability

read more

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top