SAP patches critical flaw that lets hackers seize control of servers


Keumars Afifi-Sabet

14 Jul, 2020

Software company SAP has patched a critical vulnerability that can be exploited by an unauthenticated hacker to take control of systems and applications.

The flaw, assigned CVE-2020-6287, affects the LM Configuration Wizard element of the NetWeaver Application Server (AS) Java platform, and affects potentially 40,000 customers, according to Onapsis, which discovered the vulnerability.

Alarmingly, the flaw has been rated 10 out of 10 on the CVSS scale and has spurred the United States Computer Emergency Readiness Team (US-CERT) into issuing an alert encouraging organisations to patch their systems immediately.

«Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches,» the alert said. 

«CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.»

Those unable to patch their systems should mitigate the vulnerability by disabling the LM Configuration Wizard service. Should this step be impossible, or take more than 24 hours to complete, CISA has recommended closely monitoring SAP NetWeaver AS for any suspicious or anomalous activity. 

The flaw is a result of the lack of authentication in a web component of the SAP NetWeaver AS for Java which allows for several high-privileged activities on the SAP system. 

Successful exploitation involves a remote hacker obtaining unrestricted access to SAP systems by creating high-privileged users and executing arbitrary OS commands with high privileges. Hackers would retain unrestricted access to the SAP database and can perform application maintenance activities. 

The flaw, in essence, entirely undermines confidentiality, integrity and availability of data and processes hosted by the SAP application. 

The vulnerability is present by default in SAP applications running over SAP NetWeaver AS Java 7.3, and any newer versions up to SAP NetWeaver 7.5, affecting a handful of applications. These include SAP Enterprise Resource Planning (ERP), SAP Product Lifecycle Management, SAP Customer Relationship Management (CRM), and around a dozen more.

Flaws rated 10/10 on the CVSS scale are barely encountered, and ordinarily mean the vulnerability is highly exploitable, easy to trigger, and require little or no additional privileges and user interaction. Nevertheless, the SAP flaw is the second 10-rated vulnerability discovered within a couple of weeks, after Palo Alto patched a flaw in its networking services based around its SAML-based authentication mechanism.

Both the SAP and Palo Alto flaws were highlighted by official US law enforcement agencies, the former flagged by US-CERT and the latter by US Cyber Command.