Critical SAP Recon flaw exposes thousands of customers to attacks

SAP patched a critical vulnerability affecting over 40,000 customers and found in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments.

The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team.

RECON is introduced due to the lack of authentication in an SAP NetWeaver AS for Java web component allowing for several high-privileged activities on the affected SAP system.

"If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and GRC solutions) and gaining full control of SAP systems," Onapsis explained.

"The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees, and customers, which drastically increases the likelihood of remote attacks."

In addition to Onapsis' report, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory today where the vulnerability is being tracked as CVE-2020-6287.

Affected systems

Onapsis estimates that more than 40,000 SAP customers could potentially be affected by this security flaw at the moment.

The company also found "at least 2,500 vulnerable SAP systems directly exposed to the internet, with 33% in North America, 29% in Europe and 27% in Asia-Pacific."

Some examples of widely-used SAP applications vulnerable to RECON attacks if not patched are the SAP Solution Manager (SolMan), an application lifecycle manager deployed in almost all SAP environments, and the SAP Enterprise Portal which is exposed to attacks since it's often deployed on systems connected to the Internet.

Two other SAP tools affected by RECON are the SAP Processes Integration module and the SAP Landscape Management (LaMa) an orchestration and automation tool — the latter allows attackers to gain full control of an org's SAP assets if successfully exploited.

A list of SAP business solutions using the latest versions of SAP NetWeaver and affected by the RECON flaw include (more impacted products are listed in SAP's Security Notes release):

Successful attack impact

If attackers successfully exploit a system connected to an untrusted network they can read, modify, and delete any record, file, or report on the compromised system.

This allows them to perform a wide range of malicious tasks including but not limited to reading, modifying or deleting financial records, deleting or modifying traces, logs, and other files, as well as disrupting the operation of the system by corrupting data or shutting it down completely.

A successful attack would also enable them to change a compromised company's banking details (account number, IBAN, etc.), to read personally identifiable information (PII), perform unrestricted actions through operating system command execution, and to take control of purchasing processes administration.

Onapsis and SAP urge customers to patch their products as soon as possible to block potential attacks designed to exploit unpatched systems.

"Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted," Onapsis says in their RECON threat report.

"It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected."