Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization.
The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This lets unauthorized users create new admin accounts via HTTP, granting miscreants full access: it’s rated 10 out of 10 in terms of severity. The vulnerable Java component is used throughout much of SAP’s product line, so it would be a good idea to check for updates on any SAP code running on your network.
To exploit the flaw, a hacker just needs to be able to reach the software over the network, or the internet if it is public facing.
[…]
Onapsis said it reported the flaw to SAP on May 27. The bug was confirmed later that day and, on June 8, was issued a CVSS score of 10. The flaw was kept under wraps until July 14, when SAP could put out a patch (support note 2934135) as part of its scheduled monthly security update cycle.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft