The RECON vulnerability affects more than 40,000 SAP customers with increased exposure for an estimated 2,500 internet-facing systems.Download Threat Report
The Onapsis Research Labs and the SAP Security Response Team worked together to uncover and mitigate the serious RECON vulnerability.
Identified as HotNews SAP Note #2934135 (CVE-2020-6287) in the July 2020 SAP Security Notes, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 (the most severe) and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications.
A successful exploit of RECON could give an unauthenticated attacker full access to the affected SAP system. This includes the ability to modify financial records, steal personally identifiable information (PII) from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk.
The RECON vulnerability affects a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, including SAP SCM, SAP CRM, SAP PI, SAP Enterprise Portal and SAP Solution Manager (SolMan), impacting more than 40,000 SAP customers.
To learn more about the RECON vulnerability, download the full Onapsis Threat Report now and read the FAQs below.
For more information about Onapsis’s Cyber Risk Assessment and how we can help you determine your level of risk for the RECON vulnerability, download our executive brief.
Download the threat report to learn
- How the RECON vulnerability puts 40,000 SAP customers at risk
- Details on the RECON vulnerability and the potential cybersecurity and compliance impact
- How to protect your SAP system and your organization
FREQUENTLY ASKED QUESTIONS
In May 2020, the Onapsis Research Labs identified a serious vulnerability affecting a component included in many SAP applications. Tagged with a CVSS Score of 10, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability, resides in a default core application. Since this vulnerability can be exploited by remote unauthenticated attackers, systems exposed to untrusted networks such as the internet could be opportunistically targeted by attackers.
Based on affected versions, Onapsis estimates that over 40,000 SAP systems may be affected by this vulnerability. Onapsis estimates there are at least 2,500 vulnerable SAP systems directly exposed to the internet, with 45% in North America, 12% in Europe and 30% in Asia-Pacific.
Following the Onapsis coordinated disclosure policy, Onapsis reported this vulnerability to SAP and closely worked together with its Security Response Team to address it. SAP has released SAP HotNews Security Note #2934135 addressing this issue.
Vulnerabilities such as RECON are not often seen, but these types of security issues compensate for their rareness with business and compliance impact. As explained in this threat report, an attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios. Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted. Onapsis has been working closely with the SAP Security Response Team to report and fix this vulnerability with the patch being released in the July 2020 SAP Security Notes.
It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected. Continuous monitoring of SAP systems and the automated assessment of security configurations is imperative to ensure that mission-critical information and processes are secure.
The Onapsis Research Labs and the SAP Security Response Team worked together to patch the RECON vulnerability in record time. Identified as HotNews SAP Security Note #2934135 in the July 2020 SAP Security Notes release, the RECON vulnerability has a CVSS score of 10 out of 10 (the most severe) and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications.
This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50. All Support Packages tested by the Onapsis Research Labs to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions. This means that a broad range of products could be impacted for more than 40,000 SAP customers.
Affected SAP solutions include, but are not limited to:
- SAP Enterprise Resource Planning (ERP)
- SAP Supply Chain Management (SCM)
- SAP CRM (Java Stack)
- SAP Enterprise Portal
- SAP HR Portal
- SAP Solution Manager (SolMan) 7.2
- SAP Landscape Management (SAP LaMa)
- SAP Process Integration/Orchestration (SAP PI/PO)
- SAP Supplier Relationship Management (SRM)
- SAP NetWeaver Mobile Infrastructure (MI)
- SAP NetWeaver Development Infrastructure (NWDI)
- SAP NetWeaver Composition Environment (CE)
Since SAP SolMan is affected and deployed in almost every SAP environment, it is a safe assumption that almost every SAP customer has at least one system affected by this vulnerability.
Absolutely. Malicious threat actors do not need these systems to be exposed to the internet or in the cloud to attack them, as they can typically gain access to the network “behind the firewall” through spear-phishing and other attacks.
Once inside the network, it is very common to find that SAP applications like the ones affected by RECON are accessible to satisfy business use cases. In this case, as an attacker would not even need to have a valid user id in the target SAP application, it is very likely that they could successfully compromise them if not patched.
Furthermore, most large organizations have already realized that their “internal network” is not controlled as it used to be, as today VPNs, BYOD, outsourced contractors and many other variables create an environment where it is not possible to trust the connected devices.
If an unauthenticated attacker is able to connect to the HTTP(S) service and perform a successful exploitation of the RECON vulnerability, the impact could be critical in some situations. Technically speaking, an attacker would be able to create a new user in the vulnerable SAP system with maximum privileges (Administrator role), bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes.
Having administrative access to the system will allow the attacker to manage (read/modify/delete) every record/file/report in the system. Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance. Exploitation of the vulnerability allows an attacker to perform several malicious activities, including:
- Steal personally identifiable information (PII) from employees, customers and suppliers
- Read, modify or delete financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt the operation of the system by corrupting data or shutting it down completely
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files.
With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system. In particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.
Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, given the potential compliance implications of this type of deficiencies on business-critical systems, your Internal Audit team and the Head of Compliance and Audit should assess this risk.
Unfortunately, this vulnerability cannot be detected by any solution performing GRC or segregation of duties (SoD) controls for SAP. Because these attacks would be unauthenticated requiring no user credentials or passwords, attackers can easily bypass any existing SoD controls.
Unfortunately, the RECON vulnerability is not under the general scope of IT General Controls (ITGC). Even in a scenario where ITGCs have a satisfactory state in your SAP environment, the presence of this risk could equal the combination of several ITGCs deficiencies. Based on our experience, the associated risks with vulnerabilities such as RECON are usually not included in traditional audits. We encourage internal and external auditors to include a risk assessment of the RECON vulnerability as part of your ITGC audits for SAP systems.
If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions) and gaining full control of SAP systems. The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees and customers, which drastically increases the likelihood of remote attacks.
Onapsis has no evidence of the RECON vulnerability being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that any unpatched SAP system can be vulnerable to attacks. In fact, as most organizations are not able to detect the exploitation of these vulnerabilities, a system compromise may go undetected.
ABOUT ONAPSIS’S MISSION-CRITICAL APPLICATION SECURITY EXPERTISE
As the leading cybersecurity expert for mission-critical applications, Onapsis and the Onapsis Research Labs has reported and helped secure over 800 zero-day security vulnerabilities in mission-critical applications, such as Oracle and SAP.
When the Onapsis Research Labs identifies a potential weakness, they immediately notify the SAP Security Response Team so they can begin evaluating and preparing a patch for the reported misconfiguration and/or vulnerability. The Onapsis Research Labs provides all necessary information to SAP in order to confirm they have what they need to produce the patch. Onapsis does not release information about vulnerabilities to the general public until an official patch is released by the vendor.
Yes, The Onapsis Platform provides organizations capabilities to identify the RECON vulnerability in their SAP systems and rapidly mitigate the risk.
To help protect SAP customers from threats to the RECON vulnerability, The Onapsis Platform includes automated assessment, detection rules and alarms to continuously monitor malicious activity targeting this specific vulnerability and many others.
Using the Assess module of The Onapsis Platform, Onapsis customers can automatically run a full assessment of their SAP landscape and analyze whether the RECON is present in their SAP systems to streamline remediation and mitigate the risk.
Defend Detection Capabilities
Onapsis customers using the Defend module of The Onapsis Platform (version 2.200.61) have a detection capability in place to continuously monitor for malicious activity and receive alarms to prevent attacks abusing the RECON vulnerability.
Perform an SAP Cyber Risk Assessment Today
For SAP customers not using The Onapsis Platform, Onapsis offers a complimentary Cyber Risk Assessment to help identify if this vulnerability (and others) is present in their SAP systems.