Newly Discovered Vulnerability Threatens SAP Users

Newly Discovered Vulnerability Threatens SAP Users

On July 13, 2020, US Cert released an alert for a new critical vulnerability in SAP NetWeaver discovered by Optiv partner Onapsis (CVE-2020-6287). SAP applications are critical systems that house financial, HR, Business Intelligence and customer data. Many of the Fortune 2000 use these systems for critical business needs.

 

Dubbed “RECON,” the vulnerability affects an application that is installed by default on all NetWeaver Java installations. Onapsis estimates that 40,000 organizations may be affected by this vulnerability and that more than 2,500 instances are likely to be Internet facing. Not all SAP products are affected but given that NetWeaver is a common layer, several SAP products will be. Since one of the products affected, SAP Solution Manager (SolMan), is a product used by almost every SAP customer it is probable that nearly ALL SAP customers are affected by this vulnerability.

 

Technical details are still not public, but since no authentication is required for exploitation of this vulnerability it is possible for attackers who can reach the vulnerable web server from the internet to completely take over the SAP installation and create new users with the highest privilege levels. This level of access would allow attackers to read and modify any of the records or user data stored within the system and perform countless tasks within the platform. Attackers may also attempt to use their access to the compromised SAP host to attack other systems on the internal network. Examples of possible impacts:

 

  • Creation of new users with the highest privilege levels
  • Read/modify financial data
  • Read user data
  • Administer purchasing processes
  • Many more….

 

SAP has released a fix in the July 2020 security notes #2934135. The new version of the application solves the issue by adding authentication and authorization. Other workarounds include manually adding authentication to the vulnerable application and disabling the application.

 

As companies look beyond this current vulnerability, this will highlight the need to focus on ERP systems in a robust security program. The partnership of Optiv Threat Management and Onapsis is uniquely positioned to bring product and services together to provide robust ERP security solutions. These systems, due to their criticality and the complexity of the deployment, are often taken out of scope for penetration tests. An ERP outage can be one of the costliest that an organization can face. However, cyber risk analysis places these environments as some of the most critical.

 

Through proper planning, a robust security program around ERP deployments can be developed. That plan requires:

 

  • ERP specific risk assessments, policies, processes and data classification controls
  • Robust and nimble change management that provides accountability while giving your organization the tools to pivot quickly and make critical changes in a timely manner
  • Corporate network security hardening and penetration tests to evaluate the risk of attacks leveraging Active Directory credentials or attacks against admin desktops for pivoting into the ERP environment
  • A continual manual and automated vulnerability management testing program
  • Identity and Access Management solutions designed to limit access and privileges, backed up by a strong password policy with credential audits
  • Secure SDLC and DevSecOps programs designed to minimize and stop risks early in the ERP software development lifecycle
  • A threat modeling program that evaluates the security and attack vectors likely against the ERP environment and applies continual improvement to the security process
  • ABAP and JAVA code reviews of all critical ERP applications
  • Cyber Operations monitoring and support focused on ERP systems and security alerts
  • Incident response plans, playbooks and forensics programs catered to the ERP system, with tabletop and live-fire exercises designed to test and train personnel on the complexities of ERP incidents
  • And more. A full ERP security program customizes and applies the security principals that we already regularly execute within corporate environments

 

The next few weeks will be complex for SAP customers as the impacts of this release become more apparent, but this issue can and will be resolved quickly by a majority of organizations through the patches and/or workarounds that have been released. Longer term, however, this serves as a reminder that ERP solutions are a long-avoided security attack surface and critical threat landscape.

 

Learn more about the RECON Vulnerability:

 

Bill Young
VP/GM, Threat Management | Optiv
Bill is responsible for Optiv’s offensive testing and enterprise incident management services including breach simulations, penetration testing programs, incident response, application security and advanced product security assessments. Bill has more than 15 years of experience in Information Security consulting and leadership. He has developed and implemented multifaceted penetration testing and application security programs, delivering custom-built assessment services to meet a variety of needs, budgets and risk tolerance. He has also performed red team and security assessments for clients in all major verticals, with client sizes ranging from 30 employees to Fortune 10 corporations.