RECON bug lets hackers create admin accounts on SAP servers

SAP patches bug impacting most of its apps and customer base.
Written by Catalin Cimpanu, Contributor

Business giant SAP released a patch today for a major vulnerability that impacts the vast majority of its customers. The bug, codenamed RECON, exposes companies to easy hacks, according to cloud security firm Onapsis, who discovered the vulnerability earlier this year, in May, and reported it to SAP to have it patched.

Onapsis says RECON allows malicious threat actors to create an SAP user account with maximum privileges on SAP applications exposed on the internet, granting attackers full control over the hacked companies' SAP resources.

Bug impacts many major SAP apps

The vulnerability is easy to exploit and resides in a default component included in every SAP application running the SAP NetWeaver Java technology stack -- namely in the LM Configuration Wizard component part of the SAP NetWeaver Application Server (AS).

The component is used in some of SAP's most popular products, including SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, and SAP Solution Manager (SolMan).

Other SAP applications running the SAP NetWeaver Java technology stack are also impacted. Onapsis estimates the number of affected companies at around 40,000 SAP customers; however, not all of them expose the vulnerable application directly on the internet.

Onapsis says a scan they carried out discovered around 2,500 SAP systems directly exposed to the internet that are currently vulnerable to the RECON bug.

A "severity 10" bug

The urgency around applying this patch is warranted. Onapsis said the RECON bug is one of those rare vulnerabilities that received a maximum 10 out of 10 rating on the CVSSv3 vulnerability severity scale.

The 10 score means the bug is easy to exploit, as it doesn't involve technical knowledge; can be automated for remote attacks over the internet; and doesn't require the attacker have an account on an SAP app already or valid credentials.

Coincidentally, this is the third major CVSS 10/10 bug disclosed in the last few weeks. Similar critical bugs were also disclosed in PAN-OS (the operating system for Palo Alto Networks firewalls and VPN devices) and in F5's BIG-IP traffic shaping server (one of the most popular networking devices today).

Furthermore, it's also been a rough patch for the enterprise sector, with similarly bad vulnerabilities disclosed in Oracle, Citrix, and Juniper devices; all bugs with high severity ratings, and being easy to exploit.

Many of these vulnerabilities have already come under fire and are being exploited by hackers, such as the PAN-OS, F5, and Citrix bugs.

Administrators of SAP systems are advised to apply SAP's patches as soon as possible, as Onapsis warned that the bug could let hackers take full control of a company's SAP applications and then steal proprietary technology and user data from internal systems.

SAP patches will be listed and available on the company's security portal in the next few hours.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) has also issued a security alert today urging companies to deploy the patches as soon as possible.

RECON is also tracked as CVE-2020-6287.

Editorial standards