Threat Signal ReportRECON: Critical Vulnerability in SAP NetWeaver AS Java (CVE-2020-6287)
Description
The United States CyberSecurity and Infrastructure Security Agency (CISA) issued an announcement for CVE-2020-6287 (SAP NetWeaver AS JAVA (LM Configuration Wizard)) vulnerability. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. SAP Netweaver AS for Java supports the SAP portal environment which is likely to be affected by this vulnerability as products using the SAP portal are typically Internet-facing. Because of the ease of accessibility, this further increases the likelihood of exploitation. This vulnerability is also known as RECON.
What are the specifics of the vulnerability?
RECON allows allows threat actors to create a user account on affected SAP devices with administrative privileges on SAP applications that are directly facing the internet. This elevation of privilege ultimately grants an attacker full control of an SAP environment. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications via an unauthenticated remote session. Discovered by researchers at Onapsis, this is one of several vulnerabilities this year to receive the highest possible CVSS score, 10.
Are there active reports of in the wild exploitation?
No. US-CISA states on their website that there are no observations of active in the wild exploitation.
What operating systems are affected?
According to the advisory, applications that are running SAP NetWeaver AS JAVA 7.3 and up are affected. Also, vulnerable SAP products that include SAP JAVA affected are:
SAP Enterprise Resource Planning
SAP Product Lifecycle Management
SAP Customer Relationship Management
SAP Supply Chain Management
SAP Supplier Relationship Management
SAP NetWeaver Business Warehouse
SAP Business Intelligence
SAP NetWeaver Mobile Infrastructure
SAP Enterprise Portal
SAP Process Orchestration/Process Integration
SAP Solution Manager
SAP NetWeaver Development Infrastructure
SAP Central Process Scheduling
SAP NetWeaver Composition Environment
SAP Landscape Manager
Is there a patch available at this time?
Yes. It is advised that organizations running affected software apply the provided patch as soon as possible, especially machines that are Internet-facing. For further information on the CVE and patch information, please visit SAP support bulletin 2934135, located in the APPENDIX section. (Registration Required)
What is the status of AV and IPS coverage?
IPS coverage is being investigated at this time. This threat signal will be updated once we have any relevant updates to provide.
AV coverage is not feasible for this event.
Any other suggested mitigation?
For organizations where patching is not feasible; US-CISA has recommended performing the following:
Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.
Apply missing security patches immediately and institutionalize security patching as part of a periodic process
Ensure secure configuration of your SAP landscape
Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
Analyze systems for malicious or excessive user authorizations.
Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
These recommendations apply to SAP systems in public, private, and hybrid cloud environments.
Also, if it is deemed that patching is not feasible at this time, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.
