Yesterday morning, we read the disclosure of CVE-2020-6287, named “RECON” (Remotely Exploitable Code On NetWeaver) by Onapsis Research Labs, which affects the latest versions of the SAP NetWeaver Java technology stack.
Just how severe is RECON? This vulnerability has the maximum CVSS score of 10, indicating that it is quite severe. If an attacker can exploit this vulnerability on an affected system, they can create a highly-privileged user to run arbitrary code, steal sensitive data, delete data, and otherwise impact the confidentiality, integrity, and availability of the SAP system. The severity score of the vulnerability reflects not only the damage that can be done but the ease with which it can be done: attacks exploiting this vulnerability can be carried out entirely unauthenticated; additionally, many of these exposed systems are exposed directly to the Internet, making them high-profile targets.
The good news is that Censys scans the entire Internet all the time to provide unparalleled insight into the extent of RECON.
Although the Onapsis Research Labs team estimates that at least 2,500 vulnerable SAP services are Internet-facing, our data shows closer to 10,000, including more than 26 Fortune 500 companies from the retail, utilities, technology, medical, chemical, transportation, and food industries.
Time to patch!
Patching is the best and most urgently needed action. SAP issued a patch yesterday and strongly urges SAP customers to apply it as soon as possible.
If the thought of trying to find all of your externally facing systems running this vulnerable software puts you in a cold sweat, it’s time to consider an Attack Surface Management platform. Outside-in scanning of your attack surface compiles a comprehensive catalog of assets, so when vulnerabilities are disclosed, a remediation action plan is a single query away.
If you’re already an Attack Surface Management customer, you can check for affected versions of the SAP NetWeaver Application Server in the Software docket.
Ready to learn more about the Censys Attack Surface Management platform?
For Censys Enterprise Data customers, try the following query to find your affected systems:
SELECT ip, s.port_number, autonomous_system.description, s.certificate.subject_dn, SAFE_CAST(s.banner AS String) as raw_text, REGEXP_EXTRACT(SAFE_CAST(s.banner AS String), r'(?i)<title>(.*)<\/title>') as title FROM `censys-io.ipv4_banners_public.current`, UNNEST(services) as s WHERE REGEXP_CONTAINS(LOWER(SAFE_CAST(s.banner AS String)), r'(?i)SAP NetWeaver') AND REGEXP_CONTAINS(LOWER(SAFE_CAST(s.banner AS String)), r'(?i)AS Java 7.30|AS Java 7.31|AS Java 7.40|AS Java 7.50') AND (ip IN ("""your_ip_list""") OR lower(s.certificate.subject_dn) LIKE '%Your Company%')
Want the power of Censys behind your vulnerability management team? Contact us today for a demo