Exploitation of this bug can let the attacker lift sensitive information, delete files, execute code, carry out sabotage etc.
A critical vulnerability, carrying a severity score of ‘10 out of 10 ‘on the CvSS bug-severity scale, has been revealed for SAP customers.
SAP’s widely used collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources & other business areas. The systems contain lots of sensitive information.
Alert
According to an alert from the US Depart. of Homeland Security (DHS), successful exploitation of the bug lets attackers read & modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; & delete or modify traces, logs & other files.
The bug (CVE-2020-6287), has been called RECON by the Onapsis Research Labs researchers that discovered it, & it affects over 40,000 SAP customers, they noted. SAP delivered a patch for the issue as part of its July 2020 Security Note.
NetWeaver
“It stands for Remotely Exploitable Code on NetWeaver,” Mariano Nunez, CEO of Onapsis, explained “This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of our analysis publication. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products & solutions.”
An attacker using this vulnerability will have unrestricted access to critical business information & processes in a variety of different settings, stated the firm.
Java Technology
The bug affects a default element present in every SAP application running the SAP NetWeaver Java technology stack, explained Onapsis. The technical component is used in many SAP business solutions, e.g. SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) & many others, the researchers commented.
DHS further outlined that the vulnerability is introduced because of the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for several high-privileged activities on the SAP system.
Vulnerability
A remote, unauthenticated attacker can use this vulnerability through an HTTP interface, which is usually exposed to end users &, in many cases, exposed to the internet.
“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users & the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database & is able to perform application maintenance activities, such as shutting down federated SAP applications,” mentions the alert.
Impact
An unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access & authorization controls (such as segregation of duties, identity management, & governance, risk & compliance solutions) & gaining full control of SAP systems, Nunez further commented.
“With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,” explains Onapsis, in a technical analysis.
“In particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs & interfaces. In other words, these applications are attached to other systems, both internal & external, usually leveraging high-privileged trust relationships.”
Vulnerable
Also, the RECON vulnerability’s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees & customers. These systems, & Onapsis estimates there are at least 2,500 of them – have an increased likelihood of remote attacks, researchers outlined. Out of those vulnerable installations, 33% are in N. America, 29% are in Europe & 27% are in Asia-Pacific.
“Because of the type of unrestricted access an attacker would obtain by exploiting un-patched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) & privacy (GDPR) compliance,”.
Patch Available
SAP’s patch should be applied immediately, researchers recommended. While for now there is no indication that this has been exploited yet, Nunez observed that SAP customers should be on high alert now that the vulnerability has been announced & the DHS has sent out its US CERT alert warning.
“Now that the vulnerability & patch have been released, skilled hackers can quickly develop exploit code,” he explained. “Because there are many vulnerable Internet exposed SAP systems, the complexity of the attack is significantly less.”
Complexity
Because of the complexity of mission-critical applications & limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team explained.
“It’s difficult to patch mission-critical applications such as those from SAP because they need to be constantly available,” Nunez explained, “Testing can take a long time depending upon complexity and customization of the apps. Also, there are limited maintenance windows available to apply the patches.”
SAP customers
He finally added, “For SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cyber-security & compliance programs to ensure these applications are no longer in a blind spot.
These systems are the lifeblood of the business & under the scope of strict compliance requirements, so there is simply nothing more important to secure.”