SAP patches critical flaw that lets hackers seize control of servers

The rare 10/10 vulnerability on the CVSS scale affects a host of apps including ERP and CRM platforms

Blue SAP sign

Software company SAP has patched a critical vulnerability that can be exploited by an unauthenticated hacker to take control of systems and applications.

The flaw, assigned CVE-2020-6287, affects the LM Configuration Wizard element of the NetWeaver Application Server (AS) Java platform, and affects potentially 40,000 customers, according to Onapsis, which discovered the vulnerability.

Alarmingly, the flaw has been rated 10 out of 10 on the CVSS scale and has spurred the United States Computer Emergency Readiness Team (US-CERT) into issuing an alert encouraging organisations to patch their systems immediately.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches,” the alert said.

“CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.”

Those unable to patch their systems should mitigate the vulnerability by disabling the LM Configuration Wizard service. Should this step be impossible, or take more than 24 hours to complete, CISA has recommended closely monitoring SAP NetWeaver AS for any suspicious or anomalous activity. 

The flaw is a result of the lack of authentication in a web component of the SAP NetWeaver AS for Java which allows for several high-privileged activities on the SAP system. 

Successful exploitation involves a remote hacker obtaining unrestricted access to SAP systems by creating high-privileged users and executing arbitrary OS commands with high privileges. Hackers would retain unrestricted access to the SAP database and can perform application maintenance activities. 

The flaw, in essence, entirely undermines confidentiality, integrity and availability of data and processes hosted by the SAP application. 

The vulnerability is present by default in SAP applications running over SAP NetWeaver AS Java 7.3, and any newer versions up to SAP NetWeaver 7.5, affecting a handful of applications. These include SAP Enterprise Resource Planning (ERP), SAP Product Lifecycle Management, SAP Customer Relationship Management (CRM), and around a dozen more.

Flaws rated 10/10 on the CVSS scale are barely encountered, and ordinarily mean the vulnerability is highly exploitable, easy to trigger, and require little or no additional privileges and user interaction. Nevertheless, the SAP flaw is the second 10-rated vulnerability discovered within a couple of weeks, after Palo Alto patched a flaw in its networking services based around its SAML-based authentication mechanism.

Both the SAP and Palo Alto flaws were highlighted by official US law enforcement agencies, the former flagged by US-CERT and the latter by US Cyber Command.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021