Critical SAP Recon vulnerability exposes thousands of system to full take over

Pierluigi Paganini July 14, 2020

IT giant SAP addressed a critical flaw, tracked as  CVE-2020-6287 and dubbed RECON, that could allow attackers to take over corporate servers.

SAP has released security patches to address a critical vulnerability, tracked as CVE-2020-6287 and dubbed RECON (Remotely Exploitable Code On NetWeaver), that could be exploited by attackers to take over corporate servers.

The vulnerability was discovered by security firm Onapsis, according to the experts, the RECON flaw allows an attacker to create an SAP user account with maximum privileges on SAP applications exposed online, this means that he will take full control over the compromised SAP systems.

The RECON issue resides in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50, which is a core component in most SAP environments.

The component is used in several popular SAP products, including SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, and SAP Solution Manager (SolMan).

RECON is caused by the lack of authentication in an SAP NetWeaver AS for Java web component.

“If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and GRC solutions) and gaining full control of SAP systems,” reads the analysis published by Onapsis.

Onapsis experts scanned the Internet for SAP systems and found 2,500 installs exposed online that are affected by the RECON vulnerability. Most of them are in North America (33%), followed by Europe (29%) and Asia-Pacific (27%).

The RECON flaw is easy to exploit, for this reason, it has received a 10 score on the CVSSv3 vulnerability severity scale.

SAP admins urge to apply SAP’s patches as soon as possible, to avoid that hackers take full control of their SAP applications and then steal sensitive data.

The DHS CISA also published a security alert urging organizations using SAP solutions to apply the security patches as soon as possible. Organizations that are unable to immediately deploy the patch should mitigate the issue by disabling the LM Configuration Wizard service.

“On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.” states the CISA’s alert.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.”

CISA confirmed that it is not aware of any active exploitation of the RECON issue at the time of the report. However, because patches have been publicly released, experts believe that threat actors could make a reverse-engineering of the patches to create exploits that target unpatched systems.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – RECON, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment