On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.
Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP's business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.
Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.
CISA is unaware of any active exploitation of these vulnerabilities at the time of this report. However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems.
US-CERT Alert (full text):
What this means:
A critical security hole was recently discovered in an SAP application server that has a widespread installed base. The installed base consists Fortune 500 as well as midcap enterprises such as those in the S&P 400. The revenue loss alone could be extensive. Further, many of these enterprises house PII and/or PHI. The privacy breach implications can be widely damaging.
How it matters:
Many enterprises depend on SAP NetWeaver Application Servers. These application servers execute ABAP applications and communicate with the presentation components, the database, and also with each other, using the message server. If the vulnerability is not patched, HTTP exploits can lead to compromised Confidentiality, Integrity and Availability (CIA); possibly leading to downtime and indeterminate lost revenues.
What should you do about it?
Enterprises should patch their dev, test and prod boxes. They should prioritize patching that sequence to their outward-facing app servers, then re-apply the patching sequence to their back-end servers. If they cannot in an expedient manner, it is recommended that they disable the LM Configuration Wizard.
SAP and Onapsis contributed to this Alert.
 Onapsis Threat Report
 SAP Security Note
 SAP Trust Center
 SAP Monthly Security Patch Day Blog
July, 13 2020: Initial Version
After observing significant malicious activity targeting RECON in the wild, and considering the number of vulnerable internet-facing SAP applications and the sensitivity of the data and processes typically supported by these systems, Onapsis decided to develop and release this open-source tool as quickly as possible. The goal is to help the information security and administration teams at all SAP customers protect their mission-critical applications by enabling them to assess their exposure and evaluate whether their SAP systems could have been compromised. We plan to further iterate this tool as new threat intelligence and forensic data is captured by our products, research team and the broader community.
This tool can:
Perform a best-effort, black-box scan of your SAP application(s) to quickly assess if they may be vulnerable to RECON.
Perform a basic analysis for Indicators of Compromise (IoCs) leveraging the RECON vulnerability by analyzing SAP application logs.
This tool cannot:
Guarantee with 100% accuracy whether your SAP applications are vulnerable or not.
Find all evidence of compromise of an SAP application, all IoCs related to RECON or post-exploitation activities.
There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are either not exposed to RECON (and other vulnerabilities) or that the applications have not been compromised. Several conditions can affect the state of the assessed applications and/or log files, resulting in false positives and/or false negatives.