CISA Urges Organizations To Patch Critical SAP Vulnerability

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

The US Department of Homeland Security has issued an alert regarding a security flaw with SAP Java-based services. CISA have urged enterprises to patch systems for a critical SAP vulnerability that may have devastating consequences upon exploitation.

Critical SAP Vulnerability Discovered

In a recent advisory, the US DHS Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical SAP vulnerability potentially threatening enterprises.

As elaborated, the vulnerability, CVE-2020-6287 affected the SAP NetWeaver AS JAVA (LM Configuration Wizard). It existed due to the lack of authentication check that allowed an unauthenticated attacker to execute arbitrary commands on the target system.

Describing the impact of the exploit, the advisory reads,

If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications.

This vulnerability received a CVSS score of 10. It first caught the attention of researchers at cybersecurity firm Onapsis. They have shared a detailed analysis of this RECON (Remotely Exploitable Code On NetWeaver) vulnerability in a threat report.

Patch Released – Update ASAP!

Upon discovering the flaw, the researchers and the vendors collaborated to develop a patch. According to the researchers, the vulnerability potentially risks around 40,000 SAP systems.

Whereas, it affects the following SAP solutions (but not limited to):

  • SAP Enterprise Resource Planning (ERP)
  • SAP Supply Chain Management (SCM)
  • SAP CRM (Java Stack)
  • SAP Enterprise Portal
  • SAP HR Portal
  • SAP Solution Manager (SolMan) 7.2
  • SAP Landscape Management (SAP LaMa)
  • SAP Process Integration/Orchestration (SAP PI/PO)
  • SAP Supplier Relationship Management (SRM)
  • SAP NetWeaver Mobile Infrastructure (MI)
  • SAP NetWeaver Development Infrastructure (NWDI)
  • SAP NetWeaver Composition Environment (CE)

Thankfully, the vendors have developed and released fixes for the vulnerability. Hence, CISA has urged the users to review the SAP security update to apply the patches.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!