Skip to Content
Personal Insights
Author's profile photo Anand Nayak Rao Kotti

Vulnerability that exposes SAP JAVA stack

Critical Vulnerability (RECON) found in SAP NetWeaver AS Java

RECON – Remotely Exploitable Code On Netweaver

Background 

July 13 US-CERT Alert, AA20-195A had been issued around SAP NetWeaver AS Java (LM Configuration Wizard) affecting versions – 7.30, 7.31, 7.40, 7.50

How this vulnerability exposes SAP critical APPS

According to SAP note 2934135 – LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system.

CVSS Score: 10.0; CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Systems Impacted

Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as (but not limited to):

SAP Enterprise Resource Planning,
SAP Product Lifecycle Management,
SAP Customer Relationship Management,
SAP Supply Chain Management,
SAP Supplier Relationship Management,
SAP NetWeaver Business Warehouse,
SAP Business Intelligence,
SAP NetWeaver Mobile Infrastructure,
SAP Enterprise Portal,
SAP Process Orchestration/Process Integration),
SAP Solution Manager,
SAP NetWeaver Development Infrastructure,
SAP Central Process Scheduling,
SAP NetWeaver Composition Environment, and
SAP Landscape Manager.

Acknowledgments 
SAP and Onapsis contributed to this Alert. See the Onapsis report on the “RECON” SAP Vulnerability for more information.

SAP Patch Tuesday, July 2020https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

SAP Security Notes  –  https://launchpad.support.sap.com/#/notes/2947895

https://launchpad.support.sap.com/#/notes/2939665

https://launchpad.support.sap.com/#/notes/2934135

 

US-CERThttps://us-cert.cisa.gov/ncas/alerts/aa20-195a

If you are someone who is responsible for securing your ERP system, I would suggest getting in touch with Onapsis/ SAP to deploy the patch and apply compensating controls.

Anand Kotti

 

 

 

 

 

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Vinoth Kaliannan
      Vinoth Kaliannan

      Hi Anand ,

       

      Nice blog ! Just one question

      Can we update LMCTC component alone or is it dependent on other component and need to update that dependent component as well.

      Author's profile photo SAP BASIS
      SAP BASIS

      AFAIK no.
      Read note 2948106 please

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Vinoth Kaliannan  Please follow the security note for instructions to remediate. Disabling LMCTC is just a workaround, not a permanent solution https://launchpad.support.sap.com/#/notes/2934135

       

       

       

      Author's profile photo Naveen Naik
      Naveen Naik

      For NW 7.4 this patch is available only from SP18 and our system has 7.40 SP8. So does it mean we have to upgrade all the way from SP8 to SP18 to get this vuln patch installed? SAP patch upgrade takes several days to weeks and it seems like workaround provided is the only immediate fix for me. Could you please suggest?

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Naveen Naik At this point, If you are not on the right SP level I would recommend applying the workaround. Also, Onapsis researchers who found this vulnerability put out free Instant Recon https://onapsis.com/free-sap-instant-recon-vulnerability-scan  to check if your system has been exposed / under attack.

      -Anand K

       

       

      Author's profile photo Ali Robb
      Ali Robb

      Is there any details on the specific versions of SAP Business Intelligence that this impacts?

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Onapsis Inc. Released a Free SAP RECON Vulnerability Scanning Tool to Quickly Detect Potentially Compromised and Exposed SAP Applications. 

      Here is the link. https://onapsis.com/press-releases/free-service-to-quickly-detect-vulnerable-sap-applications-recon

      Why Onapsis?

      Two reasons

      #1 They are the one who found and reported RECON vulnerability

      #2 Also here from SAP CSO

      “For years, Onapsis has responsibly disclosed its advanced vulnerability research and findings to SAP which has allowed us to deliver more secure products to our customers. Thanks to Onapsis, we are fixing a highly critical vulnerability in today’s SAP Security Notes release, which we did in record time,” said Tim McKnight, Executive Vice President, and Chief Security Officer at SAP.

      Anand Kotti