The National Cyber Security Centre SK-CERT warns on critical vulnerabilities in SAP products

Today, the National Cyber Security Centre SK-CERT (hereinafter referred to as “SK-CERT”) issued a security warning addressing the vulnerability of SAP products, tracked as CVE-2020-6287[1].

SAP company is one of the largest software manufacturers in the world. Its products focus mainly on management of relations with customers, supply chain management, human resources, expenditure management and other areas. Software solutions from SAP are used worldwide not only in the private but also in the public sphere.

On 14 July 2020, the company released a patch for a critical vulnerability that impacts the vast majority of its customers. The bug, named RECON, can be exploited by a remote attacker via the http protocol to take control over the trusted SAP applications.

The bug was discovered by Onapsis company[2], who warns that RECON allows attackers to create an SAP user account with maximum privileges on SAP applications, granting attackers full control over the system.

This vulnerability is very easy to exploit and resides in every SAP application running the SAP NetWeaver Java from version 7.3 onwards – namely in the LM Configuration Wizard on the SAP NetWeaver Application Server (AS).

The SAP NetWeaver AS for Java technology supports the SAP Portal component, which can therefore be impacted by this bug and is usually connected to the Internet.

The component is used in some of the most popular SAP products, including SAP S / 4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal and SAP Solution Manager (SolMan).

Other SAP applications running the SAP NetWeaver Java technology stack are also impacted. Onapsis said that a scan they carried out discovered around 2 500 SAP systems that were vulnerable to the RECON bug.

The RECON bug is one of those rare vulnerabilities that received the highest CVSS score. In this case, this means that the bug is very easy to exploit and through it remote attacks can be executed.

Due to severity of the vulnerability, SK-CERT recommends for organizations immediately:

  • update all SAP products with the latest update packages,
  • turn off the LM Configuration Wizard (a recommended step),
  • check security settings of SAP products,
  • monitor systems, especially SAP applications focusing on a non-standard behaviour,
  • check logs and systems on illegally created users,
  • change passwords to affected systems as well as to systems that used the same passwords,
  • immediately contact SK-CERT if a cybersecurity incident is detected.

Sources

[1] https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20200714-01/

[2] https://www.zdnet.com/article/recon-bug-lets-hackers-create-admin-accounts-on-sap-servers/


« Späť na zoznam
Current threats
all publications
Links