Summary:
On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.
Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP's business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.
Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.
CISA is unaware of any active exploitation of these vulnerabilities at the time of this report. However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems.
US-CERT Alert (full text):
https://us-cert.cisa.gov/ncas/alerts/aa20-195a
What this means:
A critical security hole was recently discovered in an SAP application server that has a widespread installed base. The installed base consists Fortune 500 as well as midcap enterprises such as those in the S&P 400. The revenue loss alone could be extensive. Further, many of these enterprises house PII and/or PHI. The privacy breach implications can be widely damaging.
How it matters:
Many enterprises depend on SAP NetWeaver Application Servers. These application servers execute ABAP applications and communicate with the presentation components, the database, and also with each other, using the message server. If the vulnerability is not patched, HTTP exploits can lead to compromised Confidentiality, Integrity and Availability (CIA); possibly leading to downtime and indeterminate lost revenues.
What should you do about it?
Enterprises should patch their dev, test and prod boxes. They should prioritize patching that sequence to their outward-facing app servers, then re-apply the patching sequence to their back-end servers. If they cannot in an expedient manner, it is recommended that they disable the LM Configuration Wizard.
ACKNOWLEDGEMENTS
SAP and Onapsis contributed to this Alert.
References
[1] Onapsis Threat Report
[2] CVE-2020-6287
[3] SAP Security Note
[4] SAP Trust Center
[5] SAP Monthly Security Patch Day Blog
Revisions
July, 13 2020: Initial Version
------------------------------
Shamun Mahmud
Standards Officer, Sr. Research Analyst
Cloud Security Alliance
WA
------------------------------