The US Department of Homeland Security has issued an alert regarding a security flaw with SAP Java-based services. CISA have urged enterprises to patch systems for a critical SAP vulnerability that may have devastating consequences upon exploitation.
Critical SAP Vulnerability Discovered
In a recent advisory, the US DHS Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical SAP vulnerability potentially threatening enterprises.
As elaborated, the vulnerability, CVE-2020-6287 affected the SAP NetWeaver AS JAVA (LM Configuration Wizard). It existed due to the lack of authentication check that allowed an unauthenticated attacker to execute arbitrary commands on the target system.
Describing the impact of the exploit, the advisory reads,
If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications.
This vulnerability received a CVSS score of 10. It first caught the attention of researchers at cybersecurity firm Onapsis. They have shared a detailed analysis of this RECON (Remotely Exploitable Code On NetWeaver) vulnerability in a threat report.
Patch Released – Update ASAP!
Upon discovering the flaw, the researchers and the vendors collaborated to develop a patch. According to the researchers, the vulnerability potentially risks around 40,000 SAP systems.
Whereas, it affects the following SAP solutions (but not limited to):
- SAP Enterprise Resource Planning (ERP)
- SAP Supply Chain Management (SCM)
- SAP CRM (Java Stack)
- SAP Enterprise Portal
- SAP HR Portal
- SAP Solution Manager (SolMan) 7.2
- SAP Landscape Management (SAP LaMa)
- SAP Process Integration/Orchestration (SAP PI/PO)
- SAP Supplier Relationship Management (SRM)
- SAP NetWeaver Mobile Infrastructure (MI)
- SAP NetWeaver Development Infrastructure (NWDI)
- SAP NetWeaver Composition Environment (CE)
Thankfully, the vendors have developed and released fixes for the vulnerability. Hence, CISA has urged the users to review the SAP security update to apply the patches.
Let us know your thoughts in the comments.