CyberWarfare / ExoWarfare

Critical SAP Bug Allows Full Enterprise System Takeover

Exploitation of the bug can allow an attacker to lift sensitive information, delete files, execute code, carry out sabotage and more.

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.

SAP’s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information.

According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.

The bug (CVE-2020-6287) has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP delivered a patch for the issue on Tuesday as part of its July 2020 Security Note.

“It stands for Remotely Exploitable Code On NetWeaver,” Mariano Nunez, CEO of Onapsis, told Threatpost. “This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of [our analysis publication]. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions.”

An attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios, according to the firm.

NetWeaver Java Woes

The bug affects a default component present in every SAP application running the SAP NetWeaver Java technology stack, according to Onapsis. This technical component is used in many SAP business solutions, such as SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) and many others, the researchers said.

According to DHS, the vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, allowing for several high-privileged activities on the SAP system. A remote, unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,” according to the alert.


Put another way, an unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and governance, risk and compliance solutions) and gaining full control of SAP systems, Nunez said.

“With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,” according to Onapsis, in a technical analysis released on Tuesday. “In particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.”

And while this is bad enough, the RECON vulnerability’s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees and customers. These systems – Onapsis estimates there are at least 2,500 of them – have an increased likelihood of remote attacks, researchers said. Out of those vulnerable installations, 33 percent are in North America, 29 percent are in Europe and 27 percent are in Asia-Pacific.

“Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance,” according to the writeup.

Patch Available

SAP’s patch should be applied immediately, researchers recommended. While for now there is no indication that this has been exploited yet, Nunez told Threatpost that SAP customers should be on high alert now that the vulnerability has been announced and the DHS has sent out its US CERT alert warning.

“Now that the vulnerability and patch have been released, skilled hackers can quickly develop exploit code,” he said. “Because there are many vulnerable Internet exposed SAP systems, the complexity of the attack is significantly less.”

That said, because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team acknowledged.

“It’s difficult to patch mission-critical applications such as those from SAP because they need to be constantly available,” Nunez told Threatpost. “Testing can take a long time depending upon complexity and customization of the apps. Also, there are limited maintenance windows available to apply the patches.”

He added, “For SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot. These systems are the lifeblood of the business and under the scope of strict compliance requirements, so there is simply nothing more important to secure.”