- SAP releases a critical patch, plugging severe remote server takeover hole that requires no authentication.
- The discoverer of the vulnerability is ready to give away more technical details about the flaw.
- Attackers will initiate the internet scanning soon, so updating before the fault is weaponized is critical.
SAP has released the July 2020 Patch, fixing 15 vulnerabilities, with two of them being highly critical (CVSS 10). These could lead to corporate server network takeover. The flaw affects the SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions – 7.30, 7.31, 7.40, 7.50, so if you find that you’re using any of these versions you should apply the patch immediately.
SAP estimates that there must be around 40,000 customers who are vulnerable to the particular flaw, so patching isn’t a simple task, and attackers will surely engage in a race now.
The discovery of “CVE-2020-6287” (also dubbed as “RECON”) came from Onapsis, a cyber-security company that notified SAP immediately. As the patch is already out, Onapsis will give away the details of their findings during two webinars that will take place today and tomorrow. If you’re interested in knowing more about the flaw, register yourself now on this webpage.
According to a recent advisory by the US Cybersecurity and Infrastructure Security Agency (CISA), an unauthenticated remote attacker could obtain unrestricted access to unpatched SAP systems. The attacker could create new and high-privileged users, execute arbitrary commands with administrator-level privileges, access or modify database contents, shut down federated SAP applications, etc.
Long story short, the confidentiality, integrity, and availability of the data and processes hosted by any unpatched SAP application are at grave risk.
If patching is not an option, SAP admins are advised to take the systems offline until it becomes one. There are no effective workarounds or secondary mitigation steps that can address the problem, so patching should be non-negotiable at this point.
If you choose to risk it by staying susceptible, bear in mind that any network intruder who exploits RECON would make you regret this decision very quickly, as the damage can be quite extensive. Especially with Onapsis getting ready to share more technical details about how an exploit would work, not patching your SAP system would be inconsiderate, to say the least.
Another severe flaw that has been fixed with the same patch is the “CVE-2020-6285” (CVSS 7.7), which is an information disclosure bug in SAP NetWeaver (XMLToolkit for Java). The products affected by this vulnerability are SAP NetWeaver ENGINE API 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.
The remaining fixes concern medium priority flaws of various types, including cross-site scripting, path traversal, server-side request forgery, and various others.