Recently, SAP addressed a critical vulnerability affecting the LM Configuration Wizard component of the NetWeaver Application Server (AS) Java platform. This flaw, named RECON and identified as CVE-2020-6287, allows unauthenticated attackers to gain control over SAP applications, raising significant concerns for cybersecurity within organizations employing this technology.
Onapsis, a cybersecurity firm that discovered this vulnerability, estimates that over 40,000 SAP customers may be impacted. The vulnerability has received a maximum CVSS score of 10, indicating its severity. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted that the exploitation of this bug could enable an attacker to create high-privileged users and execute arbitrary operating system commands using the privileges of the SAP service user account, which has unrestricted access to the SAP database and can perform crucial maintenance tasks, including the termination of SAP applications.
SAP applications built on SAP NetWeaver AS Java versions 7.3 and newer (up to 7.5) are particularly at risk, encompassing various business solutions like SAP Enterprise Resource Planning (ERP), SAP Customer Relationship Management (CRM), and SAP Business Intelligence (BI). The inherent lack of authentication within the web component of the SAP NetWeaver AS for Java is the root cause of the RECON vulnerability, permitting attackers to execute high-privileged actions on the compromised systems.
CISA has noted that a remote, unauthenticated adversary could exploit this vulnerability through an HTTP interface that is frequently accessible to end users, even over the internet. By leveraging this flaw, an intruder could create a new SAP user with elevated privileges, compromising system integrity and potentially executing harmful commands, such as extracting sensitive information or disrupting vital business processes.
While there are currently no indications of active exploitation of this vulnerability, the availability of patches could encourage attackers to reverse-engineer the flaw, subsequently targeting unpatched systems. In light of the serious implications associated with RECON, organizations are strongly advised to apply the critical patches promptly, as well as conduct thorough scans of their SAP systems for any known vulnerabilities and evaluate user permissions for any excessive or unauthorized access.
In analyzing the potential tactics used in this vulnerability case through the lens of the MITRE ATT&CK framework, initial access techniques such as exploitation of public-facing applications appear applicable. Furthermore, privilege escalation methods could be relevant, considering that attackers may create high-privileged users to perform malicious activities. The risk posed by such vulnerabilities emphasizes the importance of proactive cybersecurity measures in protecting SAP environments and maintaining data integrity.
As organizations navigate these vulnerabilities, staying informed and responsive to emerging threats is essential in safeguarding their operations against cyber risks. Monitoring updates from trusted sources and implementing recommended security measures can significantly enhance resilience against potential attacks.