Threat Signal Report

RECON: Critical Vulnerability in SAP NetWeaver AS Java (CVE-2020-6287)

Description

The United States CyberSecurity and Infrastructure Security Agency (CISA) issued an announcement for CVE-2020-6287 (SAP NetWeaver AS JAVA (LM Configuration Wizard)) vulnerability. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. SAP Netweaver AS for Java supports the SAP portal environment which is likely to be affected by this vulnerability as products using the SAP portal are typically Internet-facing. Because of the ease of accessibility, this further increases the likelihood of exploitation. This vulnerability is also known as RECON.


What are the specifics of the vulnerability?

RECON allows allows threat actors to create a user account on affected SAP devices with administrative privileges on SAP applications that are directly facing the internet. This elevation of privilege ultimately grants an attacker full control of an SAP environment. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications via an unauthenticated remote session. Discovered by researchers at Onapsis, this is one of several vulnerabilities this year to receive the highest possible CVSS score, 10.


Are there active reports of in the wild exploitation?

No. US-CISA states on their website that there are no observations of active in the wild exploitation.


What operating systems are affected?

According to the advisory, applications that are running SAP NetWeaver AS JAVA 7.3 and up are affected. Also, vulnerable SAP products that include SAP JAVA affected are:

SAP Enterprise Resource Planning

SAP Product Lifecycle Management

SAP Customer Relationship Management

SAP Supply Chain Management

SAP Supplier Relationship Management

SAP NetWeaver Business Warehouse

SAP Business Intelligence

SAP NetWeaver Mobile Infrastructure

SAP Enterprise Portal

SAP Process Orchestration/Process Integration

SAP Solution Manager

SAP NetWeaver Development Infrastructure

SAP Central Process Scheduling

SAP NetWeaver Composition Environment

SAP Landscape Manager


Is there a patch available at this time?

Yes. It is advised that organizations running affected software apply the provided patch as soon as possible, especially machines that are Internet-facing. For further information on the CVE and patch information, please visit SAP support bulletin 2934135, located in the APPENDIX section. (Registration Required)


What is the status of AV and IPS coverage?

IPS coverage is being investigated at this time. This threat signal will be updated once we have any relevant updates to provide.

AV coverage is not feasible for this event.


Any other suggested mitigation?

For organizations where patching is not feasible; US-CISA has recommended performing the following:

Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.

Apply missing security patches immediately and institutionalize security patching as part of a periodic process

Ensure secure configuration of your SAP landscape

Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Analyze systems for malicious or excessive user authorizations.

Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud environments.

Also, if it is deemed that patching is not feasible at this time, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.