Onapsis today announced that the Onapsis Research Labs and the SAP Security Response Team worked together to mitigate a serious vulnerability, named RECON (Remotely Exploitable Code On NetWeaver), which affects more than 40,000 SAP customers, with increased exposure for internet-facing systems. As a result, the U.S. Department of Homeland Security (DHS) has issued US-CERT Alert, AA20-195A, in coordination with BSI CERT-Bund, followed by other global organizations providing warnings about potential threats associated with this vulnerability.
“For years, Onapsis has responsibly disclosed its advanced vulnerability research and findings to SAP which has allowed us to deliver more secure products to our customers. Thanks to Onapsis, we are fixing a highly critical vulnerability in today’s SAP Security Notes release, which we did in record time,” said Tim McKnight, Executive Vice President and Chief Security Officer at SAP. “This collaborative effort demonstrates the combined mission of both companies to keep our customers secure and protected from vulnerabilities and emerging threats.”
Identified as HotNews #2934135 in today’s SAP Security Notes release, the RECON vulnerability has a CVSS score of 10 out of 10 (most severe) and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications.
“Protecting cloud and on-premises mission-critical applications such as SAP, Oracle, Salesforce and Workday is a top priority for both private and public organizations. Given the increased threats against these intelligent platforms, it is great to see trusted cybersecurity companies like Onapsis working in tight collaboration with solution providers to ensure cyber defenses are increased, minimizing the risk of large-scale data breaches and business disruption,” commented Gerhard Eschelbeck, former CISO at Google and Board Director at Onapsis.
What is the RECON Vulnerability?
The Onapsis Research Labs identified a serious zero-day vulnerability affecting a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, such as SAP SCM, SAP CRM, SAP Enterprise Portal, SAP Process Integration, SAP Solution Manager (SolMan) and many others, effectively rendering them susceptible to this risk.
If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions) and gaining full control of SAP systems. The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees and customers, which drastically increases the likelihood of remote attacks. Onapsis estimates there are at least 2,500 vulnerable SAP systems directly exposed to the internet, with 33% in North America, 29% in Europe and 27% in Asia-Pacific.
Exploitation of the vulnerability allows internal and external attackers to perform several malicious activities, such as:
- Steal personally identifiable information (PII) from employees, customers and suppliers
- Read/modify financial records
- Change banking details (account number, IBAN number, etc.)
- Administer purchasing processes
- Disrupt the operation of the system by corrupting data or shutting it down completely
- Perform unrestricted actions through operating system command execution
- Delete or modify traces, logs and other files
Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance.
For more information about the RECON vulnerability, read the Onapsis Threat Report here https://www.onapsis.com/recon-sap-cyber-security-vulnerability
“It is great to see the speed at which SAP was able to develop and release an official patch after the Onapsis Research Labs discovered and reported this zero-day vulnerability. Having partnered with SAP for many years, it is clear that there is a renewed sense of urgency and commitment to ensure customers are protected as quickly as possible when new security gaps are identified,” said Mariano Nunez, CEO of Onapsis. “For SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot. These systems are the lifeblood of the business, under the scope of strict compliance requirements and seeing significant pressure from Cloud, DevOps and Digital Transformation initiatives that are creating a perfect storm in terms of cyber risk. There is simply nothing more important to secure.”
Recommendations to Keep SAP Systems Protected
Both Onapsis and SAP recommend applying the HotNews #2934135 patch as soon as possible. Because of the complexity of mission-critical applications and limited maintenance windows, organizations are often challenged to rapidly apply SAP security notes and need a way to stay protected during this process.
The Onapsis Platform includes automated assessment, detection rules and alarms to continuously monitor malicious activity targeting this specific vulnerability and many others. For SAP customers still not using The Onapsis Platform, Onapsis offers a complimentary Cyber Risk Assessment to help identify if this vulnerability (and others) is present in their SAP systems. Request a Cyber Risk Assessment at www.onapsis.com/request-an-assessment/cyber-risk