Security researcher has published a proof-of-concept code for a dangerous vulnerability affecting SAP applications, a security update for which has been released only two days ago.
The flaw (CVE-2020-6287) also known as RECON (Remotely Exploitable Code On NetWeaver) has received a severity score of 10 out of 10 on the CVSS scale. The bug affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard and is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).
Using this vulnerability, a remote, unauthenticated attacker could create a new SAP user with the highest privileges, and thus fully compromise vulnerable SAP installations, which would allow the attacker to steal or modify highly sensitive information, or disrupt critical business processes. It is estimated that the RECON flaws affect more than 40,000 SAP customers.
SAP has also addressed another vulnerability (CVE-2020-6286), which allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal."
The PoC exploit released to GitHub makes use of both above mentioned flaws, although it does not allow to achieve remote code execution.
“This script allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in queryProtocol method. Directory traversal allows to download any zip from SAP server, ” according to a description posted on GitHub.
Given that the PoC exploit for CVE-2020-6287 and CVE-2020-6286 is already freely available it is only a matter of time when malicious actors will start to exploit these vulnerabilities to compromise corporate networks. In fact, threat intelligence company Bad Packets has already detected active reconnaissance scans for these flaws. For this reason users are strongly advised to patch their systems as soon as possible.