Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server JAVA Disclosed (RECON)

Researchers disclosed a critical flaw in SAP NetWeaver Application Server that could allow an attacker to gain access to any SAP application. Organizations are strongly encouraged to apply patches as soon as possible.

Update July 16, 2020: A proof of concept script has become publicly available for CVE-2020-6286. The proof of concept section of our blog has been updated accordingly.

Background

Around 5 p.m. PST on July 13, SAP disclosed two vulnerabilities in SAP NetWeaver Application Server JAVA (AS JAVA), including a critical flaw reported by the security firm Onapsis. SAP NetWeaver is considered the “central foundation for the entire SAP software stack” and allows access to SAP data over Hypertext Transfer Protocol (HTTP). The flaws reside in the LM Configuration Wizard, a component of AS JAVA.

Analysis

CVE-2020-6287 is caused by a complete lack of authentication in the SAP NetWeaver AS Java’s LM Configuration Wizard. Due to the lack of authentication, a remote unauthenticated attacker could execute “critical actions,” including creating an administrator user and providing them with the “keys to the kingdom” over the SAP NetWeaver AS JAVA system. An attacker could gain access to adm, the operating system user that has “unlimited access to all local resources related to SAP systems.” The vendor assigned this vulnerability a CVSSv3 score of 10.0, the highest possible CVSS score. This vulnerability has been dubbed Remotely Exploitable Code On NetWeaver (or “RECON”) by security researchers at Onapsis.

CVE-2020-6286 is a path traversal vulnerability due to the lack of input validation for a path in a “certain parameter” of the web service. An unauthenticated, remote attacker could exploit this vulnerability and “download zip files to a specific directory.” The vendor assigned this vulnerability a CVSSv3 score of 5.3.

Vulnerability potentially affects multiple SAP solutions

According to an alert from the Cybersecurity Infrastructure Security Agency (CISA), CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java v7.3 and newer, including SAP NetWeaver v7.5. Additionally, this could potentially affect a variety of other SAP Java-based business solutions, including the following:

Publicly accessible NetWeaver AS JAVA systems

According to Onapsis, which identified and reported CVE-2020-6287 to SAP, more than 40,000 SAP customers may be affected. Based on a BinaryEdge search, there are at least 4,000 publicly accessible SAP NetWeaver AS JAVA systems. However, it is very likely that there are additional publicly accessible and vulnerable systems.

Proof of concept

A proof-of-concept (PoC) for CVE-2020-6286 has been published by security researcher Dmitry Chastuhin to his GitHub repository. The script allows the download of any zip file from a vulnerable SAP server.

At the time this blog post was published, there was no PoC code publicly available for CVE-2020-6287. However, considering the simplistic nature of potential exploitation for this vulnerability and publicly available patches that can be reverse engineered, we anticipate that a PoC will be published very quickly.

Solution

To address these CVEs, SAP released security updates in SAP Security Note #2934135 as part of their Security Patch Day for July 2020. According to the SAP Security Note #2934135, if the patch cannot be applied, the proposed workaround is to disable the LM Configuration Service (tc~lm~ctc~cul~startup_app application). While the workaround is defined as “defense in depth,” SAP notes that this is “not a solution.” SAP provides additional information on disabling the LM Configuration Service in SAP Security Note #2939665. Based on the severity of this vulnerability, we strongly recommend applying patches as soon as possible, focusing on internet-facing systems which are more at risk than internal systems.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training