1. Reverse Engineering >
  2. Exploits >
  3. AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java


Exploits vom | Direktlink: us-cert.cisa.gov Nachrichten Bewertung

Original release date: July 13, 2020

Summary

On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.

Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.

Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.

CISA is unaware of any active exploitation of these vulnerabilities at the time of this report. However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems.
 

Technical Details

Affected Systems

This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as (but not limited to):

  • SAP Enterprise Resource Planning,
  • SAP Product Lifecycle Management,
  • SAP Customer Relationship Management,
  • SAP Supply Chain Management,
  • SAP Supplier Relationship Management,
  • SAP NetWeaver Business Warehouse,
  • SAP Business Intelligence,
  • SAP NetWeaver Mobile Infrastructure,
  • SAP Enterprise Portal,
  • SAP Process Orchestration/Process Integration),
  • SAP Solution Manager,
  • SAP NetWeaver Development Infrastructure,
  • SAP Central Process Scheduling,
  • SAP NetWeaver Composition Environment, and
  • SAP Landscape Manager.

Attack Surface

The vulnerability was identified in a component that is part of the SAP NetWeaver AS Java. This technology stack is part of the SAP Solution Manager, which is a support and system management suite.

The SAP NetWeaver AS for Java technology supports the SAP Portal component, which may therefore be affected by this vulnerability and is typically exposed to the internet. Passive analysis of internet-facing applications indicates that a number of such applications are connected to the internet and could be affected by this vulnerability.


Description

On July 13, 2020 EST, SAP released the patch for a critical vulnerability, CVE-2020-6287, affecting its NetWeaver AS for Java component. This vulnerability can lead to compromise of vulnerable SAP installations, including the modification or extraction of highly sensitive information, as well as the disruption of critical business processes. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.

The vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java allowing for several high-privileged activities on the SAP system.


Impact

If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.
 

Mitigations

CISA strongly recommends organizations review SAP Security Note #2934135 for more information and apply critical patches as soon as possible. CISA recommends prioritizing patching over application of individual mitigations. When patching, external facing systems should be urgently addressed, followed by internal systems.

Patched versions of the affected components are available at the SAP One Support Launchpad.

Additional Recommendations

CISA encourages users and administrators of SAP products to:

  • Scan SAP systems for all known vulnerabilities, such as missing security patches, dangerous system configurations, and vulnerabilities in SAP custom code.
  • Apply missing security patches immediately and institutionalize security patching as part of a periodic process
  • Ensure secure configuration of your SAP landscape
  • Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
  • Analyze systems for malicious or excessive user authorizations.
  • Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
  • Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
  • Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
  • Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud environments.

See the Onapsis report on the “RECON” SAP Vulnerability for more information.

ACKNOWLEDGEMENTS

SAP and Onapsis contributed to this Alert.

RESOURCES

[1] Onapsis Threat Report https://www.onapsis.com/recon-sap-cyber-security-vulnerability
[2] CVE-2020-6287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287%20
[3] SAP Security Note 2934135 patching the issue (https://launchpad.support.sap.com/#/notes/2934135)
[4] SAP Trust Center (www.sap.com/security)
[5] SAP Monthly Security Patch Day Blog (https://wiki.scn.sap.com/wiki/display/PSR/The+Official+SAP+Product+Security+Response+Space)

References

Revisions

  • July, 13 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

...
https://us-cert.cisa.gov/ncas/alerts/aa20-195a

Externe Quelle mit kompletten Inhalt anzeigen


Zur Startseite von Team IT Security

➤ Weitere Beiträge von Team Security | IT Sicherheit

AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java

vom 743.75 Punkte ic_school_black_18dp
Original release date: July 13, 2020SummaryOn July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthen

SAP on Azure–Designing for Efficiency and Operations

vom 570.2 Punkte ic_school_black_18dp
This is the final blog in our four-part series on Designing A Great SAP on Azure Architecture. Robust SAP on Azure Architectures are built on the pillars of Security, Performance and Scalability, Availability and Recoverability, and Efficiency and Operations. Wi

Intel Optane DC Persistent memory, Azure NetApp Files, and Azure Ultra Disk for SAP HANA

vom 492.58 Punkte ic_school_black_18dp
With the recent preferred cloud partnership with SAP, both companies are committed to ensuring that we provide customers with a simplified path for the migration from on-premises SAP ERP to SAP S/4HANA in the cloud, on Azure. Microsoft Azure enables cus

SAP on Azure Architecture &#8211; Designing for security

vom 327.7 Punkte ic_school_black_18dp
This blog post was contributed to by Chin Lai The, Technical Specialist, SAP on Azure. This is the first in a four-part blog series on designing a great SAP on Azure Architecture, and will focus on designing for security. Great SAP on Azure Architecture

Disaster recovery for SAP HANA Systems on Azure

vom 294.35 Punkte ic_school_black_18dp
This blog will cover the design, technology, and recommendations for setting up disaster recovery (DR) for an enterprise customer, to achieve best in class recovery point objective (RPO) and recovery time objective (RTO) with an SAP S/4HANA landscape. Th

SAP GUI bis 7.40 auf Windows SAPlpd Crash Denial of Service

vom 275.56 Punkte ic_school_black_18dp
In SAP GUI bis 7.40 auf Windows wurde eine problematische Schwachstelle gefunden. Das betrifft eine unbekannte Funktion der Komponente SAPlpd. Mittels dem Manipulieren mit einer unbekannten Eingabe kann eine Denial of Service-Schwachstelle (Crash) aus

AA19-122A: New Exploits for Unsecure SAP Systems

vom 262.75 Punkte ic_school_black_18dp
Original release date: May 2, 2019 | Last revised: May 3, 2019Summary The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP componen

AA20-133A: Top 10 Routinely Exploited Vulnerabilities

vom 236.11 Punkte ic_school_black_18dp
Original release date: May 12, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals a

AA20-133A: Top 10 Routinely Exploited Vulnerabilities

vom 236.11 Punkte ic_school_black_18dp
Original release date: May 12, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals a

Microsoft Receives 2020 SAP® Pinnacle Award: Public and Private Cloud Provider Partner of the Year

vom 233.69 Punkte ic_school_black_18dp
I’m pleased to share that SAP recently named Microsoft its Partner of the Year for the 2020 SAP® Pinnacle Award category of Public and Private Cloud Provider. SAP presents these awards annually to the top partners that have excelled in developing and growing their partnership with SAP and helping cu

SAP Solman bis 7.31 caf~eu~gp~example~timeoff~wd Information Disclosure

vom 224.3 Punkte ic_school_black_18dp
In SAP Solman bis 7.31 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Dabei geht es um eine unbekannte Funktion der Datei webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd. Durch die Manipulation mit einer unbekannten

SAP Solman bis 7.31 caf~eu~gp~example~timeoff~wd Information Disclosure

vom 224.3 Punkte ic_school_black_18dp
In SAP Solman bis 7.31 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Dabei geht es um eine unbekannte Funktion der Datei webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd. Durch die Manipulation mit einer unbekannten

Team Security Diskussion über AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java