Threat Watch

Critical Vulnerability Affects SAP Applications

A new critical vulnerability (CVE-2020-6287) in SAP’s Enterprise Resource Planning (ERP) applications has been disclosed and a patch was released by SAP on July 13th, 2020. Any corporation using SAP should check if they are using a vulnerable application and install the patch immediately. If an organization is unable to patch immediately, it should disable the LM Configuration Wizard service (SAP Security Note #2939665) to mitigate the vulnerability until they are able to patch their system. According to an alert from the US Cybersecurity and Infrastructure Security Agency, they strongly recommend organizations patch immediately, but they are unaware of any active exploitation of this vulnerability. The vulnerability affects the default configuration in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer version up to 7.5. By exploiting this through Hypertext Transfer Protocol (HTTP), a remote unauthenticated attacker can gain unrestricted access to SAP systems by creating privileged user accounts and the execution of arbitrary operating system commands with the privileges of the SAP user account <sid>adm, which has unrestricted access to the SAP database and is able to shut down federated SAP applications, along with other maintenance activities. All of this could allow an attacker access to any confidential information about an organization within SAP.

ANALYST NOTES

Although no active exploitation of this vulnerability has been seen yet, it typically does not take threat actors long to begin to carry out attacks. With the vulnerability only being disclosed a day ago, it is probable that threat actors will begin utilizing this vulnerability and taking advantage of companies that do not install the patches or disable LM Configuration Wizard service in SAP soon. Any time a vulnerability receives a rating of 10 out of 10 on the CVSS system, it should be handled within an organization immediately due to the severity of the issue and the lack of technical skills a threat actor must have to exploit the vulnerability.

More information can be found here: https://us-cert.cisa.gov/ncas/alerts/aa20-195a