RECON vulnerability allows hackers full access to SAP servers

Software giant SAP has released a patch for a Critical vulnerability dubbed “RECON” that could allow an unauthenticated hacker full access to SAP servers.

Security researchers from Onapsis Research Labs and the SAP Security Response Team jointly discovered the RECON vulnerability that affects nearly 40,000 SAP customers and 2,500 internet-facing SAP servers.

The specific vulnerability CVE-2020-6287 affects SAP NetWeaver AS for Java component , which misses an authentication check. As a result, hackers could create administrative users and change configurations on affected SAP systems.

“A successful exploit of RECON could give an unauthenticated attacker full access to the affected SAP system. This includes the ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk,” Onapsis stated in an excerpt from the threat report.

SAP released the patch on July 13 for affected SAP installations. However, customers could implement a workaround by disabling the LM Configuration Wizard service until the patch is deployed.

In addition, the Department of Homeland Security (DHS) also issued an alert confirming the vulnerability in SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.

The DHS confirmed that an unauthenticated hacker could exploit the Hypertext Transfer Protocol (HTTP) interface to take control of trusted SAP applications. Since these interfaces are often exposed to the internet, these systems should be a very high priority to patch.

The RECON vulnerability impacts SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).

Related Articles