CVE-2020-6287
Published: 14 July 2020
Summary
CVE-2020-6287 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2020-6287 is a missing authentication check vulnerability, tracked under CWE-306, that affects the LM Configuration Wizard component of SAP NetWeaver AS JAVA in versions 7.30, 7.31, 7.40, and 7.50. The flaw permits configuration tasks to be invoked without any prior authentication, directly exposing the SAP Java system to unauthenticated remote interaction.
An attacker with network access can exploit the issue to execute critical configuration actions, including creation of an administrative user account. This leads to full compromise of confidentiality, integrity, and availability, reflected in the CVSS 3.1 base score of 10.0 with an attack vector of network, low complexity, no privileges, and no user interaction.
SAP security note 2934135, the associated SCN wiki guidance, and Onapsis reporting outline mitigation steps that include applying vendor patches and restricting access to the affected configuration endpoints. Public exploit code has been released via Packet Storm and Full Disclosure mailing lists, confirming the vulnerability's practical exploitability shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-27437
Vulnerability details
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including…
more
the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements on the LM Configuration Wizard endpoints so that configuration actions (including admin user creation) cannot be invoked without prior authentication.
Mandates identification and authentication of users before allowing access to the SAP Java system, eliminating the unauthenticated remote interaction that CVE-2020-6287 exploits.
Restricts network access to the exposed LM Configuration Wizard endpoints, limiting the attack surface for unauthenticated configuration changes described in the CVE.