Critical Bug Gives Attackers Control of Vulnerable SAP Business Applications
20 July 2020
SAP has issued patches to fix a critical RECON (Remotely Exploitable Code On Netweaver) vulnerability that can lead to total compromise of vulnerable SAP installations. It has been assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS), the most severe rating possible.
If exploited, CVE-2020-6287, would give a malicious actor full access to the affected system, including the ability to create a new SAP user with maximum privileges, alter financial records, corrupt data, delete or change logs and traces, harvest personally identifiable information and other actions that could put organisations at severe risk.
The vulnerability, which can be launched via HTTP over an internet-facing interface, affects a default element present in every SAP application running on top of the SAP NetWeaver AS Java 7.3 and upwards. This includes SAP SCM, SAP Solution Manager, SAP PI and SAP Enterprise Portal. Impacting over 40,000 of their customers, with at least 2,500 vulnerable systems currently exposed to the internet.
Organisations must apply the relevant patches immediately, prioritising internet-facing systems, and then internal systems. Those unable to patch straight away should mitigate the vulnerability by disabling the LM Configuration Wizard service. In addition, continue monitoring your SAP NetWeaver AS for anomalous activity over the coming days.
A critical privilege escalation exploit in Windows Server (CVE-2020-1472), codenamed Zerologon, allows an attacker to become a domain admin, even without any credentials.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.
Secrutiny Awarded Position on Crown Commercial Services “Cyber Security Services 3 Dynamic Purchasing System”
We are thrilled to announce that Secrutiny has been awarded a position on Crown Commercial Service’s Cyber Security Services 3 Dynamic Purchasing System (DPS).