Critical SAP Bug Allows Full Enterprise System Takeover

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS scale, has been disclosed for SAP customers.

SAP’s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information. According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.

The bug has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP delivered a patch for the issue on Tuesday.

“An attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios,” according to the firm.

NetWeaver Java Woes

The bug affects a default component present in every SAP application running the SAP NetWeaver Java technology stack, according to Onapsis. This technical component is used in many SAP business solutions, such as SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan) and many others, researchers said.

“With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system,” Onapsis researchers said in a technical analysis released on Tuesday. “In particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.”

The bug would allow an unauthenticated attacker (no username or password required) to create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management, and governance, risk and compliance solutions) and gaining full control of SAP systems.

And while this is bad enough, the RECON vulnerability’s risk increases when the affected solutions are exposed to the internet, to connect companies with business partners, employees and customers. These systems – Onapsis estimates there are at least 2,500 of them – have an increased likelihood of remote attacks, researchers said. Out of those vulnerable installations, 33 percent are in North America, 29 percent are in Europe and 27 percent are in Asia-Pacific.

“Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance,” according to the writeup.

SAP’s patch should be applied immediately, researchers recommended – though because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes, the Onapsis team acknowledged.

“For SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot,” Mariano Nunez, CEO of Onapsis, said in a statement. “These systems are the lifeblood of the business and under the scope of strict compliance requirements, so there is simply nothing more important to secure.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.