Threat Response: Vulnerabilities in SAP Netweaver

14-07-2020

A SAFE DIGITAL JOURNEY

Today, Tuesday July 14, SAP has release security patches for SAP NetWeaver AS, among which one that has received a CVSS Score of 10 [1]. This vulnerability is registered under CVE-2020-6287. We think that the threat caused by the vulnerability is serious, and therefore want to inform you about the risks and the possible mitigation steps. There are currently no signs of active exploitation, but this is expected soon [2]. Users of SAP NetWeaver are advised to install the patches as soon as possible. Additional information on mitigations is available below.

Description

The vulnerabilities reside in SAP NetWeaver AS JAVA version 7.3 and above, specifically, the LM Configuration Wizard component. SAP NetWeaver is an application server used in default configurations for many SAP applications, leading to potentially many applications being vulnerable. Some examples (this list is not complete):

  • SAP Enterprise Resource Planning
  • SAP Product Lifecycle Management
  • SAP Customer Relationship Management
  • SAP Supply Chain Management

Impact

SAP Portal, a regular component that typically faces the public internet, is also affected. This increases the risk of external exploitation. When an attacker successfully exploits the vulnerability, they can gain full unlimited access to SAP systems [3].

Risk

Currently there are no signs of active exploitation. Northwave estimates the impact of the vulnerability to be high. Because we do expect exploit code to be publicly available soon, Northwave assesses the probability of this attack as high.

Mitigation

SAP has issued patches as part of their Security Patch Day [1] today. We highly recommend installing those as soon as possible on affected systems. If updating the systems is not possible we recommend disabling the LM Configuration Wizard.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909  or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1] https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

[2] https://advisories.ncsc.nl/advisory?id=NCSC-2020-0554

[3] https://us-cert.cisa.gov/ncas/alerts/aa20-195a

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.