CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java

This blog post was co-authored by Scott King, Brian Carey, and Justin Berry.

Overview of business impact and implications of CVE-2020-6287

This new SAP vulnerability (RECON), a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard, is a huge deal and has a very short, quiet moment before someone reverses it and has working exploit code publicly available.

In production, SAP is a big deal for the companies that own it. In many cases, they have spent tens of millions in capital to buy it and millions more annually to operate it. When a serious vulnerability like this is released, there will be a significant investment needed to update, patch, and fix the problems, requiring a tremendous amount of effort and planning and, in many cases, business disruption from patching and functionality testing. Additionally, many companies are currently in a SOX mode, collecting evidence (or preparing to collect evidence) on their 404 and other control areas, which will make addressing this critical SAP vulnerability an even bigger challenge.

Security, IT, and business teams need to focus on why this is important to their organizations and justify why they should invest the time and money to address this now and not wait until 2021 (seriously). For the organizations that choose to accept risk even temporarily to their supply chain and enterprise resource planning and not deploy patches right away, they will at a minimum have the added complexity and cost of leveraging compensating technical controls.

Why this one matters

Businesses rely on SAP for a wide variety of processes, capturing everything from financial data to business intelligence. Most organizations use it as a tool to manage compliance and ensure access is provisioned (and, more importantly, deprovisioned) with urgency. While the vulnerability allows for a number of high-privileged activities on the SAP system, the critical component to this vulnerability is that it does not require authentication to exploit, meaning any SAP NetWeaver system with the vulnerable components exposed to the internet—currently estimated to be at least 4,000—can likely be trivially compromised based on initial research. Successful exploitation will likely result in unrestricted/unauthorized access to SAP systems, high-privileged user creation, and most prominently, arbitrary code execution with the privileges of the SAP service user account. Since the SAP service user account typically has unrestricted access to the SAP database and is able to perform application maintenance activities (such as shutting down federated SAP applications), there is an opportunity to impact the confidentiality, integrity, and availability of the database.

Considering organizations’ high reliance on the underlying system, the type of data it houses, and the compliance implications, organizations should prioritize their risk management and develop a strategy and timeline for addressing this vulnerability. Adding to that urgency is the fact that many implementations of SAP applications are directly exposed to the internet to ease business access issues outside of VPN tunnels.

Additionally, many security teams are not monitoring the logs of their SAP implementations and are limited in their ability to detect potential intrusions. These factors create a perfect storm of vulnerability, ease of exploitation, lack of monitoring, impact, and likelihood of attack. This severe situation means every SAP shop needs to stop what they’re doing and take inventory of their SAP environment to determine how to protect it.

How to communicate this as risk to the impacted business areas

SAP is a business-critical application for many companies, which means you should start by communicating this vulnerability to your management, starting with the CISO and CIO. Because of the potential compliance implications, this communication should be extended to senior business management and compliance managers as well.

If you are going through SOX compliance and audit preparation, it’s important to point out that this vulnerability cannot be mitigated by typical SOX controls. Due to the type of data typically stored within SAP, a successful attacker could manipulate business processes or access sensitive data such as employee PII, company financial records, banking details, and customer or supplier data.

The types of data and processes managed within SAP likely have far-reaching implications for multiple business units. This single IT risk will map across multiple business risks and should therefore be communicated to all appropriate stakeholders to facilitate buy-in for the downtime needed to patch.

Strategies for prioritizing this with IT

Strategically, the first step is to get buy-in from senior business leaders by mapping this particular vulnerability to the business risk assumed if no action is taken. Concurrently, conversations should begin with IT by identifying which physical or virtual assets are affected. SAP NetWeaver serves as the base layer for many SAP products, so many applications and processes are likely affected. Understanding how many systems you need to apply this patch to will help you begin to communicate estimated downtime to the business.

There may be pushback from IT if these systems are not directly exposed to the internet, but even internally affected systems should be prioritized given traditional weaknesses in defensive capabilities that allow attackers to gain footholds in your network.

It is also possible that patching SAP might not be a traditional function of your remediation teams. This responsibility could fall with your Basis Administrator, who may follow separate remediation strategies than traditional IT remediation teams, so be sure to confirm who is responsible for NetWeaver administration.

Next steps

Treating vulnerabilities, especially severe ones like this, is an exercise in diplomacy, politics, and trade-offs. Because of this, this should be handled in the same way you would treat an active incident. Stand up a war room, create a fast action team (i.e., a tiger team), get an executive stakeholder or officer in charge (OIC) plugged in, and provide visibility to the broader business, risk, and compliance functions with the goal of pulling together a short-term and long-term mitigation strategy.

For some, this will require removing SAP’s direct access to the internet. For others, it will require implementing WAF and/or IPS rules. For others, it will result in accepting the risk. The key message here is to sit down with all stakeholders, including business leaders, to get on the same page about the severity of this vulnerability, develop and activate a treatment plan, and make sure to have, at a minimum, detective controls in place to respond.