Critical flaw allows hackers to breach SAP systems with ease

SAP users should immediately deploy a newly released patch for a critical vulnerability that could allow hackers to compromise their systems and the data they contain.

The flaw is in a core component that exists by default in most SAP deployments and can be exploited remotely without the need of a username and password.

Researchers from security firm Onapsis who found and reported the vulnerability estimate that 40,000 SAP customers worldwide might be affected. Over 2,500 vulnerable SAP systems are directly exposed to the internet and are at higher risk of being hacked, but attackers who gain access to local networks can compromise other deployments.

What is the impact of the SAP vulnerability?

The vulnerability is tracked as CVE-2020-6287 and is in the SAP NetWeaver Application Server Java, which is the software stack underlying most SAP enterprise applications. Versions 7.30 to 7.50 of NetWeaver Java are affected -- including the latest one -- and all the Support Packages (SPs) released by SAP.

The vulnerability, which has also been dubbed RECON (Remotely Exploitable Code on NetWeaver), has the highest possible severity rating (10) in the Common Vulnerability Scoring System (CVSS) because it can be exploited over HTTP without authentication and can lead to a full compromise of the system.

The flaw allows attackers to create a new user with administrative role, bypassing existing access controls and segregation of duties.

"Having administrative access to the system will allow the attacker to manage (read/modify/delete) every database record or file in the system," Onapsis warned in an advisory.

"Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance."

The vulnerability opens organisations to various types of attacks. Hackers could use it to steal personally identifiable information (PII) belonging to employees, customers and suppliers; read, modify or delete financial records; change banking details to divert payments and modify purchasing processes; corrupt data; or disrupt the operation of the systems financial losses due to business downtime.

The flaw also allows attackers to hide their tracks by deleting logs and execute commands on the operating system with the SAP application's privileges.

The affected SAP applications include SAP S/4HANA Java; SAP Enterprise Resource Planning (ERP); SAP Supply Chain Management (SCM) and SAP CRM (Java Stack), in addition to SAP Enterprise Portal; SAP HR Portal; SAP Solution Manager (SolMan) 7.2 and SAP Landscape Management (SAP LaMa).

Also impacted is SAP Process Integration/Orchestration (SAP PI/PO); SAP Supplier Relationship Management (SRM) and SAP NetWeaver Mobile Infrastructure (MI), alongside SAP NetWeaver Development Infrastructure (NWDI) and SAP NetWeaver Composition Environment (CE).

However, SAP systems are generally interconnected with other third-party systems to exchange data and automate tasks using APIs. The SAP Process Integration/Orchestration (SAP PI/PO) plays a central role in such integrations and its compromise could give attackers access to credentials for other non-SAP systems and databases as well.

The SAP Enterprise Portal is also an interesting target because it's often exposed to the internet in the form of self-service portals for employees or in B2B scenarios for suppliers and business partners, so it hosts a significant amount of business data, Onapsis' CEO Mariano Nunez tells CSO.

SAP Solution Manager, which relies on NetWeaver Java and is affected, is also a mandatory component for all SAP deployments and can be an interesting target for attackers from where they can move laterally to other applications.

RECON Mitigations

Onapsis notified SAP of the vulnerability in May and the company was quick to develop a patch because of the seriousness of the issue and the ease of exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) and the German government's Computer Emergency Response Team (CERT-Bund) have also been notified and have prepared advisories.

According to Nunez, applying the patch as soon as possible is the best solution. Detecting a potential attack with web application firewalls without having application context might result in many false positives, because it's hard to differentiate between exploitation attempts and legitimate traffic.

"CISA strongly recommends organisations to read the SAP July 2020 Security Notes release for more information and apply critical patches as soon as possible—prioritise patching by starting with mission critical systems, internet-facing systems, and networked servers," CISA said in its advisory. "Organisations should then prioritise patching other affected IT/OT assets. Special attention should be paid to the SAP Security Note 2934135."

Nunez tells CSO that it won't be difficult for attackers to reverse-engineer the patch and figure out where the vulnerability exists and how to exploit it. He doesn't expect that it will take long until the flaw will be weaponised, so it's critical that organisations understand the widespread impact this vulnerability could have on their business if left unpatched.