This Flaw in SAP allows attackers to create Admin accounts on SAP Servers

This Flaw in SAP allows attackers to create Admin accounts on SAP Servers

Recently, SAP patched a critical flaw affecting over 40,000 customers and found in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50, a core component of the several products and solutions deployed in most SAP environments.

The RECON (Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, a company that found and responsibly disclosed this RECON bug to the SAP Security Response Team. This Remotely Exploitable Code On NetWeaver is introduced due to the lack of authentication in an SAP NetWeaver AS for Java web component allowing for several high privileged activities on the affected SAP systems.

Onapsis explained that on successful exploitation, an unauthenticated attacker with no username or password can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, GRC solutions, and identity management) and gaining full control of SAP systems.

This RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees, and customers, which drastically increases the likelihood of remote attacks. In addition to Onapsis report, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory today where this vulnerability is being tracked as CVE-2020-6287.

Systems affected by this Vulnerability

Onapsis estimates that more than 40,000 SAP customers could potentially be affected by this vulnerability at the moment. The company also found that at least 2,500 vulnerable SAP systems are directly exposed to the internet, with 33% in North America, 29% in Europe and 27% in Asia-Pacific region.

Examples of some widely-used SAP applications vulnerable to RECON attacks if not patched are the SAP Solution Manager (SolMan), an application lifecycle manager deployed in almost all the SAP environments, and SAP Enterprise Portals which is exposed to attacks since it's often deployed on systems connected to the Internet.

Two other SAP tools affected by this RECON bug are the SAP Processes Integration module and the SAP Landscape Management (LaMa) an orchestration and automation tool - the latter allows attackers to gain full control of an organisations SAP assets if successfully exploited.

A list of SAP business solutions using the latest versions of SAP NetWeaver and affected by the RECON vulnerability include (more impacted products are listed in SAP's Security Notes release):

• SAP S/4HANA Java
• SAP Enterprise Resource Planning (ERP)
• SAP Supply Chain Management (SCM)
• SAP CRM (Java Stack)
• SAP Enterprise Portal
• SAP HR Portal
• SAP Solution Manager (SolMan) 7.2
• SAP Landscape Management (SAP LaMa)
• SAP Process Integration/Orchestration (SAP PI/PO)
• SAP Supplier Relationship Management (SRM)
• SAP NetWeaver Mobile Infrastructure (MI
• SAP NetWeaver Development Infrastructure (NWDI)
• SAP NetWeaver Composition Environment (CE)

Impact of Successful Exploitation

If  an attacker successfully exploit a system connected to an untrusted network then they can able to read, modify, and delete any record, file, or report on the compromised system. This allows them to perform a wide range of malicious tasks including but not limited to reading, modifying or deleting financial records, deleting or modifying logs, traces, and other files. As well as it also allows them to disrupting the operation of the system by corrupting data or shutting it down completely.

A successful attack would also allows them to change a compromised company's banking details (account number, IBAN, etc.), to read personally identifiable information (PII), perform unrestricted actions through OS command execution, and to take complete control of purchasing processes administration.

SAP and Onapsis urges customers to patch their products as soon as possible to block potential attacks designed to exploit unpatched systems. Onapsis says in their RECON threat report that Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted. It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected and safe.


Previous Post Next Post