AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java

Original release date: July 13, 2020SummaryOn July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems. Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity. CISA is unaware of any active exploitation of these vulnerabilities at the time of this report. However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems.   Technical DetailsAffected Systems This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as (but not limited to): SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management, SAP Supplier Relationship Management, SAP NetWeaver Business Warehouse, SAP Business Intelligence, SAP NetWeaver Mobile Infrastructure, SAP Enterprise Portal, SAP Process Orchestration/Process Integration), SAP Solution Manager, SAP NetWeaver Development Infrastructure, SAP Central Process Scheduling, SAP NetWeaver Composition Environment, and SAP Landscape Manager. Attack Surface The vulnerability was identified in a component that is part of the SAP NetWeaver AS Java. This technology stack is part of the SAP Solution Manager, which is a support and system management suite. The SAP NetWeaver AS for Java technology supports the SAP Portal component, which may therefore be affected by this vulnerability and is typically exposed to the internet. Passive analysis of internet-facing applications indicates that a number of such applications are connected to the internet and could be affected by this vulnerability. Description On July 13, 2020 EST, SAP released the patch for a critical vulnerability, CVE-2020-6287, affecting its NetWeaver AS for Java component. This vulnerability can lead to compromise of vulnerable SAP installations, including the modification or extraction of highly sensitive information, as well as the disruption of critical business processes. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet. The vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java allowing for several high-privileged activities on the SAP system. Impact If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the…

Continue Reading — AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us