SAP Patches Critical Flaw Across Product Line

SAP has released fixes for a critical remotely exploitable vulnerability that affects many of its enterprise products that can allow an unauthenticated attacker to gain complete access to an affected system.

The vulnerability (CVE-2020-6287) is in the NetWeaver Application Server Java LM Wizard Configuration component, which is present in a long list of the company’s popular enterprise applications, including ERP, CRM, Product Lifecycle Management, Business Warehouse, and many others. Because of the ease of exploitation and the broad deployment of the affected products, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that enterprises running affected products should patch as quickly as possible.

“This vulnerability can lead to compromise of vulnerable SAP installations, including the modification or extraction of highly sensitive information, as well as the disruption of critical business processes. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet,” the CISA advisory says.

“The vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java allowing for several high-privileged activities on the SAP system.”

The consequences of an attacker exploiting the vulnerability can vary depending on the product that’s targeted, but the worst case would grant the attacker full privileges on the system.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the CISA advisory says.

SAP released patches for the vulnerability on Monday and the company and CISA are urging security teams to update their systems immediately, prioritizing the externally facing systems first.

“SAP customers should pay close attention to their access logs and monitor for unauthorized user account creation—namely, SAP customers should be on the lookout for unusual processes spawned under the context of users that match the adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account,” an analysis by Rapid7 says.