Newly Discovered Vulnerability Threatens SAP Users Home Insights Blog Newly Discovered Vulnerability Threatens SAP Users July 14, 2020 Newly Discovered Vulnerability Threatens SAP Users On July 13, 2020, US Cert released an alert for a new critical vulnerability in SAP NetWeaver discovered by Optiv partner Onapsis (CVE-2020-6287). SAP applications are critical systems that house financial, HR, Business Intelligence and customer data. Many of the Fortune 2000 use these systems for critical business needs. Dubbed “RECON,” the vulnerability affects an application that is installed by default on all NetWeaver Java installations. Onapsis estimates that 40,000 organizations may be affected by this vulnerability and that more than 2,500 instances are likely to be Internet facing. Not all SAP products are affected but given that NetWeaver is a common layer, several SAP products will be. Since one of the products affected, SAP Solution Manager (SolMan), is a product used by almost every SAP customer it is probable that nearly ALL SAP customers are affected by this vulnerability. Technical details are still not public, but since no authentication is required for exploitation of this vulnerability it is possible for attackers who can reach the vulnerable web server from the internet to completely take over the SAP installation and create new users with the highest privilege levels. This level of access would allow attackers to read and modify any of the records or user data stored within the system and perform countless tasks within the platform. Attackers may also attempt to use their access to the compromised SAP host to attack other systems on the internal network. Examples of possible impacts: Creation of new users with the highest privilege levels Read/modify financial data Read user data Administer purchasing processes Many more…. SAP has released a fix in the July 2020 security notes #2934135. The new version of the application solves the issue by adding authentication and authorization. Other workarounds include manually adding authentication to the vulnerable application and disabling the application. As companies look beyond this current vulnerability, this will highlight the need to focus on ERP systems in a robust security program. The partnership of Optiv Threat Management and Onapsis is uniquely positioned to bring product and services together to provide robust ERP security solutions. These systems, due to their criticality and the complexity of the deployment, are often taken out of scope for penetration tests. An ERP outage can be one of the costliest that an organization can face. However, cyber risk analysis places these environments as some of the most critical. Through proper planning, a robust security program around ERP deployments can be developed. That plan requires: ERP specific risk assessments, policies, processes and data classification controls Robust and nimble change management that provides accountability while giving your organization the tools to pivot quickly and make critical changes in a timely manner Corporate network security hardening and penetration tests to evaluate the risk of attacks leveraging Active Directory credentials or attacks against admin desktops for pivoting into the ERP environment A continual manual and automated vulnerability management testing program Identity and Access Management solutions designed to limit access and privileges, backed up by a strong password policy with credential audits Secure SDLC and DevSecOps programs designed to minimize and stop risks early in the ERP software development lifecycle A threat modeling program that evaluates the security and attack vectors likely against the ERP environment and applies continual improvement to the security process ABAP and JAVA code reviews of all critical ERP applications Cyber Operations monitoring and support focused on ERP systems and security alerts Incident response plans, playbooks and forensics programs catered to the ERP system, with tabletop and live-fire exercises designed to test and train personnel on the complexities of ERP incidents And more. A full ERP security program customizes and applies the security principals that we already regularly execute within corporate environments The next few weeks will be complex for SAP customers as the impacts of this release become more apparent, but this issue can and will be resolved quickly by a majority of organizations through the patches and/or workarounds that have been released. Longer term, however, this serves as a reminder that ERP solutions are a long-avoided security attack surface and critical threat landscape. Learn more about the RECON Vulnerability: Onapsis Threat Report US CERT AA20-195A CVE-2020-6287 SAP Security Note SAP Monthly Security Patch Day Blog By: Bill Young VP/GM, Threat Management | Optiv Bill is responsible for Optiv’s offensive testing and enterprise incident management services including breach simulations, penetration testing programs, incident response, application security and advanced product security assessments. Bill has more than 15 years of experience in Information Security consulting and leadership. He has developed and implemented multifaceted penetration testing and application security programs, delivering custom-built assessment services to meet a variety of needs, budgets and risk tolerance. He has also performed red team and security assessments for clients in all major verticals, with client sizes ranging from 30 employees to Fortune 10 corporations. Share: Threat Vulnerabilities Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com RELATED INSIGHTS BLOG May 28, 2020 Risk-Based Vulnerability Management Changes the Game Risk-Based Vulnerability Management reduces risk more efficiently and meaningfully than legacy vulnerability management programs. See Details Read more about Risk-Based Vulnerability Management Changes the Game BLOG April 02, 2020 How to Reduce Your Attack Surface The key to WFH is to understand and proactively address the inherent attack surface risk. See Details Read more about How to Reduce Your Attack Surface BLOG December 19, 2019 Optiv ThreatDNA® Platform and ThreatBEAT® Service The need for intelligence-driven operations resulted in Optiv’s Global Threat Intelligence Center (gTIC). In 2020, our intelligence operations will in... See Details Read more about Optiv ThreatDNA® Platform and ThreatBEAT® Service How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.