SAP patches critical flaw that lets hackers seize control of servers

The rare 10/10 vulnerability on the CVSS scale affects a host of apps including ERP and CRM platforms

SAP logo

Software company SAP has patched a critical vulnerability that can be exploited by an unauthenticated hacker to take control of systems and applications.

The flaw, assigned CVE-2020-6287, affects the LM Configuration Wizard element of the NetWeaver Application Server (AS) Java platform, and affects potentially 40,000 customers, according to Onapsis, which discovered the vulnerability.

Alarmingly, the flaw has been rated 10 out of 10 on the CVSS scale and has spurred the United States Computer Emergency Readiness Team (US-CERT) into issuing an alert encouraging organisations to patch their systems immediately.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches,” the alert said.

“CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.”

Those unable to patch their systems should mitigate the vulnerability by disabling the LM Configuration Wizard service. Should this step be impossible, or take more than 24 hours to complete, CISA has recommended closely monitoring SAP NetWeaver AS for any suspicious or anomalous activity. 

The flaw is a result of the lack of authentication in a web component of the SAP NetWeaver AS for Java which allows for several high-privileged activities on the SAP system. 

Successful exploitation involves a remote hacker obtaining unrestricted access to SAP systems by creating high-privileged users and executing arbitrary OS commands with high privileges. Hackers would retain unrestricted access to the SAP database and can perform application maintenance activities. 

The flaw, in essence, entirely undermines confidentiality, integrity and availability of data and processes hosted by the SAP application. 

The vulnerability is present by default in SAP applications running over SAP NetWeaver AS Java 7.3, and any newer versions up to SAP NetWeaver 7.5, affecting a handful of applications. These include SAP Enterprise Resource Planning (ERP), SAP Product Lifecycle Management, SAP Customer Relationship Management (CRM), and around a dozen more.

Flaws rated 10/10 on the CVSS scale are barely encountered, and ordinarily mean the vulnerability is highly exploitable, easy to trigger, and require little or no additional privileges and user interaction. Nevertheless, the SAP flaw is the second 10-rated vulnerability discovered within a couple of weeks, after Palo Alto patched a flaw in its networking services based around its SAML-based authentication mechanism.

Both the SAP and Palo Alto flaws were highlighted by official US law enforcement agencies, the former flagged by US-CERT and the latter by US Cyber Command.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020