SAP RECON Vulnerability
By Britton Grim
In May, security researchers at Onapsis discovered a vulnerability referred to as RECON (Remotely Exploitable Code On NetWeaver). CVE-2020-6287 has a critical CVSS score of 10 and is centered around SAP NetWeaver AS JAVA (LM Configuration Wizard) which could affect every SAP application that utilizes the NetWeaver AS Java technology stack. This could allow a remote, unauthenticated attacker to create a new SAP administrative user and gain full control of the system.
The successful exploitation of CVE-2020-6287 could result in the full administrative takeover of a device without the need for authentication. This would allow a remote attacker to both perform any operations against the system (viewing, modifying, or deleting records or files within the database) as well as the ability to cover their tracks by further deleting or modifying logs to obscure or hide their activity.
The NetWeaver AS Java technology stack vulnerability is present in many SAP applications, however, only versions 7.30 to 7.50 are vulnerable. The list of affected applications include Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Enterprise Portal, HR Portal, Supplier Relationship Management (SRM), S/4HANA, Customer Relationship Management (CRM), Process Integration (PI), Process Orchestration (PO), Composition Environment (CE), NetWeaver Mobile Infrastructure (MI), Development Infrastructure (NWDI) and Solution Manager (SolMan) are affected.
Given the breadth of the attack surface for SAP products incorporating this technology stack, and the potential for business critical data (not to mention PII) to be exposed, modified, or deleted, this is a vulnerability organizations will not want to sleep on.
SAP released patches yesterday, July 13th, to address the RECON vulnerability and recommends organizations review SAP Security Note #2934135 (linked below) to apply critical patches as soon as possible via the SAP One Support Launchpad. If you are a Deepwatch VM customer, Deepwatch can locate devices that may contain this vulnerability. Deepwatch recommends, as always, testing patches thoroughly prior to deployment into production environments. However, with the business criticality of the SAP applications enumerated as affected, we fully recommend assessing your environment as soon as possible to manage your risk effectively.
Affected versions of SAP are as follows:
SAP applications running on top of SAP NetWeaver AS Java 7.3 up to SAP NetWeaver 7.5 are affected by default. SAP business solutions that include any SAP Java-based solutions include those such as:
- SAP Enterprise Resource Planning
- SAP Product Lifecycle Management
- SAP Customer Relationship Management
- SAP Supply Chain Management
- SAP Supplier Relationship Management
- SAP NetWeaver Business Warehouse
- SAP Business Intelligence
- SAP NetWeaver Mobile Infrastructure
- SAP Enterprise Portal
- SAP Process Orchestration/Process Integration
- SAP Solution Manager
- SAP NetWeaver Development Infrastructure
- SAP Central Process Scheduling
- SAP NetWeaver Composition Environment
- SAP Landscape Manager
- For Qualys, QID 13849 will detect CVE-2020-6287
- At the time of writing, Tenable has not yet released a Plugin ID for this vulnerability
Deepwatch will continue to monitor the SAP vulnerability and integrate detections into its respective customer offerings as further detection capabilities become available. Please contact your squad leads if you have further questions.
At time of writing the only way to manage the risk is to implement the patch for SAP software that has been provided by the vendor.