-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.2381.2
              Critical Vulnerability in SAP NetWeaver AS Java
                               16 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SAP NetWeaver AS Java
Publisher:         CISA
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-6287  

Original Bulletin: 
   https://us-cert.cisa.gov/ncas/alerts/aa20-195a

Revision History:  July 16 2020: Proof of Concept Exploit code for CVE-2020-6287, 
                                 CVE-2020-6286 (SAP RECON vulnerability) is 
                                 publicly available. AusCERT suggests to patch 
                                 now if not already done so.
                   July 14 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Alert (AA20-195A)

Critical Vulnerability in SAP NetWeaver AS Java

Original release date: July 13, 2020

Summary

On July 13, 2020 EST, SAP released a security update to address a critical
vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server
(AS) Java component LM Configuration Wizard. An unauthenticated attacker can
exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to
take control of trusted SAP applications.

Due to the criticality of this vulnerability, the attack surface this
vulnerability represents, and the importance of SAP's business applications,
the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends
organizations immediately apply patches. CISA recommends organizations
prioritize patching internet-facing systems, and then internal systems.

Organizations that are unable to immediately patch should mitigate the
vulnerability by disabling the LM Configuration Wizard service (see SAP
Security Note #2939665). Should these options be unavailable or if the actions
will take more than 24 hours to complete, CISA strongly recommends closely
monitoring your SAP NetWeaver AS for anomalous activity.

CISA is unaware of any active exploitation of these vulnerabilities at the time
of this report. However, because patches have been publicly released, the
underlying vulnerabilities could be reverse-engineered to create exploits that
target unpatched systems.
 

Technical Details

Affected Systems

This vulnerability is present by default in SAP applications running on top of
SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).
Potentially vulnerable SAP business solutions include any SAP Java-based
solutions such as (but not limited to):

  o SAP Enterprise Resource Planning,
  o SAP Product Lifecycle Management,
  o SAP Customer Relationship Management,
  o SAP Supply Chain Management,
  o SAP Supplier Relationship Management,
  o SAP NetWeaver Business Warehouse,
  o SAP Business Intelligence,
  o SAP NetWeaver Mobile Infrastructure,
  o SAP Enterprise Portal,
  o SAP Process Orchestration/Process Integration),
  o SAP Solution Manager,
  o SAP NetWeaver Development Infrastructure,
  o SAP Central Process Scheduling,
  o SAP NetWeaver Composition Environment, and
  o SAP Landscape Manager.

Attack Surface

The vulnerability was identified in a component that is part of the SAP
NetWeaver AS Java. This technology stack is part of the SAP Solution Manager,
which is a support and system management suite.

The SAP NetWeaver AS for Java technology supports the SAP Portal component,
which may therefore be affected by this vulnerability and is typically exposed
to the internet. Passive analysis of internet-facing applications indicates
that a number of such applications are connected to the internet and could be
affected by this vulnerability.


Description

On July 13, 2020 EST, SAP released the patch for a critical vulnerability,
CVE-2020-6287, affecting its NetWeaver AS for Java component. This
vulnerability can lead to compromise of vulnerable SAP installations, including
the modification or extraction of highly sensitive information, as well as the
disruption of critical business processes. A remote, unauthenticated attacker
can exploit this vulnerability through an HTTP interface, which is typically
exposed to end users and, in many cases, exposed to the internet.

The vulnerability is introduced due to the lack of authentication in a web
component of the SAP NetWeaver AS for Java allowing for several high-privileged
activities on the SAP system.


Impact

If successfully exploited, a remote, unauthenticated attacker can obtain
unrestricted access to SAP systems through the creation of high-privileged
users and the execution of arbitrary operating system commands with the
privileges of the SAP service user account (<sid>adm), which has unrestricted
access to the SAP database and is able to perform application maintenance
activities, such as shutting down federated SAP applications. The
confidentiality, integrity, and availability of the data and processes hosted
by the SAP application are at risk by this vulnerability.
 

Mitigations

CISA strongly recommends organizations review SAP Security Note #2934135 for
more information and apply critical patches as soon as possible. CISA
recommends prioritizing patching over application of individual mitigations.
When patching, external facing systems should be urgently addressed, followed
by internal systems.

Patched versions of the affected components are available at the SAP One
Support Launchpad.

Additional Recommendations

CISA encourages users and administrators of SAP products to:

  o Scan SAP systems for all known vulnerabilities, such as missing security
    patches, dangerous system configurations, and vulnerabilities in SAP custom
    code.
  o Apply missing security patches immediately and institutionalize security
    patching as part of a periodic process
  o Ensure secure configuration of your SAP landscape
  o Identify and analyze the security settings of SAP interfaces between
    systems and applications to understand risks posed by these trust
    relationships.
  o Analyze systems for malicious or excessive user authorizations.
  o Monitor systems for indicators of compromise resulting from the
    exploitation of vulnerabilities.
  o Monitor systems for suspicious user behavior, including both privileged and
    non-privileged users.
  o Apply threat intelligence on new vulnerabilities to improve the security
    posture against advanced targeted attacks.
  o Define comprehensive security baselines for systems and continuously
    monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud
environments.

See the Onapsis report on the "RECON" SAP Vulnerability for more information.

ACKNOWLEDGEMENTS

SAP and Onapsis contributed to this Alert.

References

[1] Onapsis Threat Report
[2] CVE-2020-6287
[3] SAP Security Note
[4] SAP Trust Center
[5] SAP Monthly Security Patch Day Blog

Revisions

July, 13 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use
policy.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXw+ziONLKJtyKPYoAQhEOw//e6vny4JiuDsyZs98ti4FGnI3/AlTa6lA
hkA0ejQdJczguXNBtjGezuW64N9/kO5XtB2MnTp/iSCee5aYDbSkcyfarkDwGr2l
yA6LLgB3nWy/x0TI2Rw2gF8Cto9gBtntpAhvKnUdrXg43pG6zDwZ0I6RE8idIcwW
Zwe9yq//V5gdb10VxxGHGB8IZg+6Uvai04h02tMRab6aFxxdG5Q0TSSUl3mco4fc
7gPLr6PED8RDXthdJY4d8agYjgd2AP4Wi947ENPAEh7yHA6zoAI3JrUsHoY/5nKP
xwFes7MA4vAdOFZ0lYJZPX+JlJ28DSKR10V+TF0N+mQ/lqsX0yi4m+i91/S2Qi7U
InGwNZ8y89WpEbs5kR+KXJ2er3u6vuKfJzfQK/2s7PBM//GjqGnUium2XMHZrySC
jY2nY9FLjsFiOCrPG8Azh9QWjiXxmzzHnYDIDkDq7e9jdDn5xQwBY9oajQY3oSMt
S7qK3m8mvaBgWpDW9QFrvGFA5zZpqxNbtWzD5fyggxfTywZPkj1hS11BHo2ZSCU2
JdqhqpflvqWQHi7+VRuUxZz6cuJhqVuVp3zkGfZWYtfj+oEyldruwhNUgWH3h4eD
Da2n7jmOERsdBnXaaddXgMwQz4UsT+aKKuQNaQzd+t77fI1ZVtjZ3N322I1Tf0J5
fhb9H2ZsmVw=
=653c
-----END PGP SIGNATURE-----