Earlier this week, it became known that SAP engineers fixed the dangerous error CVE-2020-6287, which affects most of the company’s customers and applications. The vulnerability is called RECON and for it has already appeared PoC exploit.
The other day I talked a little about this vulnerability in the “Update Tuesday” review, which turned out to be quite huge this month.
Back in May this year, experts from the security company Onapsis, specializing in cloud security, discovered the bug. They gave the vulnerability name RECON (an abbreviation for Remotely Exploitable Code On NetWeaver) and it received 10 points out of 10 on the CVSSv3 vulnerability rating scale.
Let me remind you that such an assessment means that the error is extremely easy to use, and its operation requires almost no technical knowledge. The vulnerability can also be used for automated remote attacks and does not require the attacker to already have an account in the SAP application or to know other people’s credentials.
“The bug is in the default component, which is part of all SAP applications running on the Java stack of SAP NetWeaver versions 7.30-7.5. It’s about the LM Configuration Wizard component that is part of the SAP NetWeaver Application Server (AS)”, — said Onapsis experts.
In their report, researchers warned that the problem allows attackers to bypass all access control and authorization tools to create new accounts for SAP applications accessible from the Internet with maximum privileges. In essence, this will give hackers full control over the SAP resources of compromised companies.
Thus, a scan conducted by researchers showed that about 2500 SAP systems that are currently vulnerable to RECON (33% in North America, 29% in Europe and 27% in the Asia-Pacific region) can be found on the network.
“The number of companies threatened by this problem is approximately 40,000, although not all of them expose ”vulnerable applications on the Internet”, – suggested Onapsis experts.
Also this week, SAP engineers fixed another vulnerability, tracked as CVE-2020-6286. This bug allows an unauthorized attacker to upload ZIP files to a specific directory, which ultimately leads to a directory bypass.
Bad Packets warned yesterday that PoC exploits for both of these vulnerabilities have already appeared on GitHub.
“Moreover, have already been noticed the first scans aimed at searching for vulnerable systems,” – warn Bad Packets researchers.
The Bleeping Computer publication notes that the published exploit, fortunately, does not help remote code execution (the researcher did not take the risk of publishing the RCE tool in the public domain), but allows downloading arbitrary ZIP archives from vulnerable systems.
Specialists once again remind all administrators about the need for urgent installation of patches.