SAP has patched a significant vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, permitting an unauthenticated attacker to get manage of SAP programs.
The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a greatest CVSS score of 10 out of 10, possibly affecting above 40,000 SAP shoppers, in accordance to cybersecurity company Onapsis, which uncovered the flaw.
“If properly exploited, a distant, unauthenticated attacker can get unrestricted entry to SAP programs by means of the generation of significant-privileged users and the execution of arbitrary functioning method commands with the privileges of the SAP service person account, which has unrestricted accessibility to the SAP database and is equipped to complete software upkeep activities, these types of as shutting down federated SAP apps,” the US Cybersecurity and Infrastructure Protection Company (CISA) said in an advisory.
“The confidentiality, integrity, and availability of the facts and processes hosted by the SAP software are at threat by this vulnerability,” it extra.
The vulnerability is current by default in SAP purposes running on leading of SAP NetWeaver AS Java 7.3 and newer (up to SAP NetWeaver 7.5), placing several SAP company remedies at hazard, like but not confined to SAP Enterprise Source Organizing, SAP Product Lifecycle Management, SAP Shopper Romantic relationship Administration, SAP Source Chain Management, SAP Enterprise Intelligence, and SAP Company Portal.
According to Onapsis, RECON is triggered because of to a deficiency of authentication in the internet part of the SAP NetWeaver AS for Java, as a result granting an attacker to accomplish substantial-privileged pursuits on the susceptible SAP system.
“A remote, unauthenticated attacker can exploit this vulnerability via an HTTP interface, which is usually uncovered to finish people and, in quite a few instances, exposed to the internet,” CISA mentioned.
By exploiting the flaw to generate a new SAP user with maximum privileges, the intruder can compromise SAP installations to execute arbitrary commands, such as modifying or extracting hugely delicate data as perfectly as disrupting critical business enterprise procedures.
Even though there is certainly no evidence of any active exploitation of the vulnerability, CISA cautioned that the patches’ availability could make it easier for adversaries to reverse-engineer the flaw to build exploits and target unpatched systems.
Given the severity of RECON, it really is suggested that corporations implement critical patches as shortly as probable and scan SAP methods for all regarded vulnerabilities and evaluate devices for destructive or extreme person authorizations.