Very High
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java
Description
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Add Assessment
Technical Analysis
This is an incredibly attractive and simple attack target: It’s an easily exploitable vulnerability in a highly-exposed HTTP interface (frequently user- and internet-facing) where successful exploitation allows remote, unauthenticated attackers to create user accounts with the highest possible privileges and generally declare themselves the feudal lords of critical SAP estates.
It’s difficult to imagine that widespread exploitation would take much time at all. SAP included a mitigation in the patch release details, but with so many mitigation bypasses coming out for other recent critical vulns, it’s definitely advisable to take CISA’s guidance to heart—i.e., patch over mitigation wherever possible and as quickly as possible.
Technical Analysis
Description:-
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
POC
https://github.com/chipik/SAP_RECON/blob/master/RECON.py
CVSS V3 Severity and Metrics
General Information
Vendors
- SAP SE
Products
- SAP NetWeaver AS JAVA (LM Configuration Wizard)
Metasploit Modules
Exploited in the Wild
References
Technical Analysis
Overview
On July 13, 2020, SAP published details on 10 vulnerabilities in their business solutions, the most severe of which is CVE-2020-6287, a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Remote, unauthenticated attackers can exploit CVE-2020-6287 through an HTTP interface, which is typically exposed to end users and to the internet. The vulnerability can lead to full compromise of vulnerable SAP installations, including modification or extraction of highly sensitive information and disruption of critical business processes. CVE-2020-6287 carries a CVSSv3 base score of 10.0 and is likely to be present in a large number of SAP environments.
The vulnerability occurs due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for a number of high-privileged activities on the SAP system. Successful exploitation allows a remote, unauthenticated attacker to obtain unrestricted access to SAP systems, create high-privileged users, and execute arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm). Since the SAP service user account (<sid>adm) has unrestricted access to the SAP database and is able to perform application maintenance activities such as shutting down federated SAP applications, there is an opportunity to impact the confidentiality, integrity, and availability of the database.
CISA published an in-depth advisory the evening of July 13, 2020. The advisory has detailed information about the criticality of the vulnerability, the breadth of known and suspected attack surface, and the possible impact of exploitation. Put simply, all customers of affected SAP products should patch as quickly as possible. Organizations should assess whether their individual risk models warrant further incident response or other compromise investigation.
Affected Systems
This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). CISA’s advisory indicates that vulnerable SAP products include any SAP Java-based solutions, such as (but not limited to):
- SAP Enterprise Resource Planning,
- SAP Product Lifecycle Management,
- SAP Customer Relationship Management,
- SAP Supply Chain Management,
- SAP Supplier Relationship Management,
- SAP NetWeaver Business Warehouse,
- SAP Business Intelligence,
- SAP NetWeaver Mobile Infrastructure,
- SAP Enterprise Portal,
- SAP Process Orchestration/Process Integration),
- SAP Solution Manager,
- SAP NetWeaver Development Infrastructure,
- SAP Central Process Scheduling,
- SAP NetWeaver Composition Environment, and
- SAP Landscape Manager.
Rapid7 Analysis
Update July 16, 2020: Proof-of-concept exploit code has surfaced on GitHub, and there have been community reports of the public exploits being used to compromise vulnerable SAP systems.
CVE-2020-6287 occurs in an unauthenticated web interface that is commonly (and often necessarily) exposed, and allows creation of user accounts with full privileges. Neither CISA nor SAP indicated they were aware of any active exploitation at the time of patch release on the evening of July 13, but it is extremely likely that pervasive exploitation will begin with little or no delay. We would expect both APT and commodity attackers to leverage this vulnerability immediately.
Guidance
SAP has released patches for CVE-2020-6287. SAP customers should patch on an emergency basis, prioritizing internet-facing systems. If you are unable to immediately patch, the vulnerability can be mitigated by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Note that patching is highly preferable to mitigation.
CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity. SAP customers should pay close attention to their access logs and monitor for unauthorized user account creation—namely, SAP customers should be on the lookout for unusual processes spawned under the context of users that match the <sid>adm naming convention. File metadata may also be a good way to identify when SAP NetWeaver software spawns non-SAP binaries. Rapid7 also recommends ensuring that any web service does not run using a privileged account.
Security Note #2934135 contains further details and updates from SAP; we recommend watching CISA’s advisory for continued updates. Rapid7 will monitor evolving information about attack surface and threat status for CVE-2020-6287. We will update this analysis as the situation evolves.
Additional references
Onapsis, the security firm who discovered the vulnerability, published a report on July 14 with an overview of several affected SAP applications and the business implications of the vulnerability.
Further media coverage and analysis of CVE-2020-6287:
