Recon vulnerability puts thousands of SAP customers at risk

SAP has released a critical security update to address a serious vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard, which is thought to affect at least 40,000 customers worldwide, with at least 2,500 vulnerable SAP systems currently exposed to the internet.

The Recon (Remotely Exploitable Code on NetWeaver) bug, which has been assigned CVE-2020-6287 and carries a CVSS score of 10, the highest possible, resides in a default core application and can be exploited by a remote, unathenticated attacker through the hypertext transfer protocol (HTTP) to take control of SAP applications that face the public internet.

According to the team that discovered it at Onapsis Research Labs, SAP Enterprise Portal stands out as an example of a critical at-risk system, but other SAP solutions including SAP PI/XI, SAP CRM, SAP SCM, and SAP S/4HANA are also known to be affected. This is because SAP NetWeaver Java forms a fundamental ‘base layer’ for other interconnected SAP products.

A successful exploitation would allow an attacker to create a new user in the compromised system with the highest level of admin privileges, bypassing access and authorisation controls, and take full control of the system, from where they could read, modify or delete database records or files, steal data, change banking details, administer purchasing processes, disrupt system operation by corrupting data or shutting it down, perform unrestricted actions through OS command execution, and delete or modify traces, logs and more.

Onapsis warned that the access levels made possible by the vulnerability may constitute a regulatory violation, putting compromised organisations at risk of breaching the General Data Protection Regulation (GDPR) or the US Sarbanes-Oxley regulations.

“Vulnerabilities such as Recon are not often seen, but these types of security issues compensate for their rareness with business and compliance impact,” wrote Onapsis’ team in its disclosure.

“Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted. Onapsis has been working closely with the SAP Security Response Team to report and fix this vulnerability with the patch being released in the July 2020 SAP Security Notes.

“It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected. Continuous monitoring of SAP systems and the automated assessment of security configurations is imperative to ensure that mission-critical information and processes remain secure.”

In a statement, the US Cybersecurity and Infrastructure Security Agency (CISA) said that due to the severity of the vulnerability, at-risk organisations should apply the patch within 24 hours, prioritising internet-facing systems.

“Organisations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity,” said the agency.

CISA said it was unaware of any active exploitation of the vulnerability at the time of writing, however, now that technical details of the vulnerability have been disclosed, there can be no doubt that Recon will be exploited within the next few days.