Forum Discussion
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver...
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server JAVA Disclosed (RECON)
Researchers disclosed a critical flaw in SAP NetWeaver Application Server that could allow an attacker to gain access to any SAP application. Organizations are strongly encouraged to apply patches as soon as possible.
SAP disclosed two vulnerabilities (CVE-2020-6287 and CVE-2020-6286) in SAP NetWeaver Application Server JAVA (AS JAVA), including a critical flaw reported by the security firm Onapsis. The flaws reside in the LM Configuration Wizard, a component of AS JAVA.
CVE-2020-6287 is caused by a complete lack of authentication in the SAP NetWeaver AS Java’s LM Configuration Wizard. This vulnerability has been dubbed Remotely Exploitable Code On NetWeaver (or “RECON”) by security researchers at Onapsis. CVE-2020-6286 is a path traversal vulnerability due to the lack of input validation for a path in a “certain parameter” of the web service. An unauthenticated, remote attacker could exploit this vulnerability and “download zip files to a specific directory.”
To address these CVEs, SAP released security updates in SAP Security Note #2934135 as part of their Security Patch Day for July 2020.
For more information about the RECON vulnerability, including the availability of patches and Tenable product coverage please visit our blog.
3 Replies
There is a plugin from Nessus, but it relies only on application version and it doesn't work properly as it detects NetWeaver ABAP versions vunerable also.
Same here.
Moreover, the dedicated direct check plugin (https://www.tenable.com/plugins/nessus/138762) also gives false-positives as it checks the incorrect end-point imho.
I am also wondering if we are getting a false positive report from the plugin scan output
the output is from a scan carried out with the sap workaround in place where the ctc service is closed down
the connection status also indicates it closed wher on a untouched system it reports Connection: Keep-Alive
Nessus was able to exploit the issue using the following request :
GET /CTCWebService/CTCWebServiceBean?wsdl HTTP/1.1
Host: 192.168.1.1
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: saplb_*=(J2EE603930820)603930850; PortalAlias=portal
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
