On July 13, 2020, SAP released a security update to address and deliver a patch for a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. The bug named Remotely Exploitable Code on NetWeaver (RECON) by researchers at Onapsis Research Labs—who uncovered it on May 27—affects more than 40,000 SAP customers.
Mariano Nunez, CEO at Onapsis Research Labs (a Boston-based firm that partners with SAP on researching and addressing enterprise security issues) says that SAP customers whose systems are directly connected to the internet are at most risk. The SAP NetWeaver AS Java technology stack is a critical component of SAP’s support and system management suite, SAP Solution Manager, and it also supports the SAP Portal component which is typically exposed to the internet.
This week, New Zealand cybersecurity startup RedShield announced that they have developed a custom shield to fix the global RECON vulnerability to ensure critical data within SAP systems remains secure while ensuring that SAP application code remains untouched.
Andy Prow, CEO of RedShield explains,
“It is fundamental for SAP customers to stay protected and alert, as due to the very nature of SAP it will be running business critical systems. However, the reason we see so many organisations struggling to act and apply patches quickly is because of the potential business risks and what down-stream impact may be caused. This is why RedShield exists. Vulnerability Shielding involves injecting code in front of the vulnerable application to fully remediate or neuter the attack. The most important factor is that the shield requires zero touch to the application, meaning vulnerabilities are removed without the risk and interruption caused by touching systems like SAP.”
How the RECON Bug Affects SAP NetWeaver
According to the Cybersecurity and Infrastructure Security Agency (CISA), the RECON vulnerability holds the highest severity score—a CVSS (common vulnerability scoring system) score of 10 out of 10. It allows a remote attacker to obtain unrestricted access to SAP systems and the SAP database to circumvent access and authorization controls over applications. Attackers can eventually steal sensitive data, modify critical data or simply disrupt the business. If not addressed immediately, exposed SAP customers are at risk of violating Sarbanes-Oxley financial regulations and the General Data Protection Regulation (GDPR).
The bug is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as SAP Supply Chain Management, SAP Supplier Relationship Management, and SAP NetWeaver Business Warehouse to name a few.
Nunez further notes that as more people work remotely due to COVID-19 and use the internet more frequently to access SAP systems, the RECON bug renders much higher risks for businesses,
“Many of the systems were already internet-facing before COVID for use cases like self-service portals or supplier B2B. But now with everyone working remotely, the systems have an even higher relevance for the company. Now if you disrupt any of these internet-facing systems, then potentially the entire company may not be able to access them. Before it was only the people that were working remotely.”