IT-Conductor Blog

CVE-2020-6287 AKA RECON (Remotely Exploitable Code on NetWeaver)

Posted by Vladimir Mokrushov on Sep 7, 2020 9:47:37 AM

Identified as HotNews SAP Note #2934135 (CVE-2020-6287) in the July 2020 SAP Security Notes mentioned in our earlier blog SAP Security Patch Day, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 (the most severe) and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications.

A successful exploit of RECON could give an unauthenticated attacker full access to the affected SAP system. This includes the ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.

Test the Vulnerability

Let’s use an unauthenticated method simulating an attacker who goes on to create SAP JAVA users including one with Administrative privileges to gain access to the SAP JAVA application. Notice no password was needed after the attacker compromised the network access to the SAP environment.

Create SAP JAVA user:

Create SAP Java User

 
Identity Management Overview
 

Create SAP JAVA Administrator user:

Create SAP Java User
SAP Java Overview 1
SAP Java Overview 2
SAP Java Netweaver Administrator

Recommendation

Current SAP customers should refer to SAP note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard) and 2939665 - Disable/Enable LM Configuration Wizard | Critical API's in LM Configuration Wizard for patch information

There are hundreds of services delivered with SAP JAVA application, and even more when you run business applications such as PI/PO. Stay vigilant in monitoring and managing the security aspects of your applications particularly with security vulnerabilities and patching.

Find these blog articles useful?  Subscribe to our blog if you haven't already done so, or give IT-Conductor a test drive to see how we can help monitor and managed your SAP landscape remotely without the typical security issues of installing and managing your own technical monitoring infrastructures.

IT-Conductor Signup

Vladimir Mokrushov

Written by Vladimir Mokrushov

Topics: Application performance management, SAP Java Monitoring, SAP Security

FREE IT-Conductor Trial to Monitor SAP

Posts by Topic

see all

Recent Posts

Subscribe to Email Updates