A vulnerability discovered in SAP’s NetWeaver Application Server Java allows an attacker to take complete system control without authentication. An emergency fix is available.
SAP users should immediately deploy a security patch that addresses a critical vulnerability that allows attackers to compromise their systems and the data it contains. This flaw concerns a main component existing by default in most SAP deployments and can be exploited remotely without using a user name and password. According to Onapsis security researchers who have found and reported the vulnerability, nearly 40,000 SAP customers worldwide could be affected. More than 2,500 SAP systems are directly exposed on the Internet and are also more likely to be hacked, but attackers who gain access to local networks can also compromise other deployments.
Identified under the reference CVE-2020-6287, this flaw is located in NetWeaver Application Server Java of SAP, the software stack on which most SAP enterprise applications are based. Versions from 7.30 to 7.50 of Netweaver Java are affected, including the latest, as well as all support packages (SP) distributed by the German publisher. Also called RECON (remotely exploitable code on netweaver), this flaw has the highest CVSS severity level of 10 because it can be exploited via HTTP without authentication and can lead to a complete compromise of the system. The vulnerability allows attackers to create a new user with administrator role to bypass existing access control and task separations.
A wide range of attack levers
“Having administrator access to the system will allow an attacker to manage (read, modify and / or delete) each database or file record in the system”, warns Onapsis in a note. “Due to an unrestricted type of access, an attacker can obtain it by exploiting uncorrected systems, and this vulnerability can also constitute a deficiency in the IT controls of a company for the purpose of regulatory constraints.” and potentially impact financial compliance (Sarbanes-Oxley) and personal data (RGPD) ”.
CVE-2020-6287 exposes organizations to different types of attacks. Hackers can use it to steal personal identification information (PII) belonging to employees, customers and suppliers, read, modify or delete financial records, change bank information to deflect payments and modify purchasing processes. . But also corrupt data, disrupt the functioning of financial systems recording losses from business interruptions and allow attackers to hide their traces by clearing logs and executing commands on the operating system with SAP application privileges. .
Third-party systems connected to SAP at risk
SAP applications affected by this flaw include S / 4HANA Java, Enterprise Resource Planning (ERP), Supply Chain Management (SCM), CRM (Java Stack), Enterprise Portal, HR Portal, Solution Manager (SolMan) 7.2, Landscape Management (SAP LaMa), Process Integration / Orchestration (SAP PI / PO), Supplier Relationship Management (SRM), NetWeaver Mobile Infrastructure (MI), NetWeaver Development Infrastructure (NWDI) and NetWeaver Composition Environment (CE).
SAP systems are generally interconnected with other third-party solutions to exchange data and automate tasks using APIs. Knowing that the SAP integration / orchestration (PI / PO) process plays a key role in these integrations, its compromise could also allow hackers to access identifiers from other non-SAP systems as well as other databases. The enterprise portal SAP (Enterprise Portal) constitutes a singular target for hackers because it is often exposed on the Internet in the form of self-service portals for employees or B2B scenarios for suppliers and business partners. And also hosts a significant volume of business data, said Onapsis CEO, Mariano Nunez, to our CSO colleague. SAP Solution Manager, based on NetWeaver Java, is affected and also a key component for all SAP deployments which can be an attractive target for attackers who can perform lateral movements in other applications.
Patch reverse engineering to be planned
Onapsis warned SAP of the vulnerability in May, which allowed it to develop a patch, announced in its latest security bulletin, and accessible to its customers via its support portal. The CISA (American agency for cybersecurity and infrastructure security) and the Cert-Bund (German security incident response center), were also notified and prepared alerts. According to Mariano Nunez, applying the patch as soon as possible is the best solution. Detecting a potential attack with application web firewalls without taking the application context into account can lead to false positives because it is difficult to differentiate attempts to exploit legitimate traffic.
“CISA strongly recommends that organizations read SAP’s July 2020 security bulletins for more information and apply critical fixes as soon as possible by prioritizing patches starting with mission critical systems exposed to the Internet and network servers, ”said the organization. “Organizations should prioritize patching other IT / OT assets and pay particular attention to SAP security bulletin 2934135”. According to Mariano Nunez, it will not be difficult for attackers to reverse patch engineering and determine where the vulnerability exists and how to exploit it. The latter does not expect that it will take them time to close the loophole, so it is critical that organizations understand the widespread impact that this vulnerability could have on their business if it were not corrected.