An application security firm, Onapsis Research Labs, discovered a critical SAP bug, CVE-2020-6287, codenamed RECON bug. The vulnerability allows a remote unauthenticated attacker to gain unrestricted access to SAP systems without a username or password. The attacker could, therefore, steal personally identifiable information (PII), modify financial details such as bank accounts, create a new SAP privileged user, or shut down the entire system.
The bug, which is rated 10.0 on the CVSS score, exists in SAP applications running on top of SAP NetWeaver AS Java 7.3 up to SAP NetWeaver 7.5. It affects over 40,000 SAP customers. Over 2,500 of the affected customers have their systems directly exposed to the Internet.
Department of Homeland Security’s CISA has issued an alert urging affected organizations to immediately apply patches to address the issue.
The nature of the RECON SAP bug
The critical SAP bug exists in any SAP application running the SAP NetWeaver Java technology stack. It affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Most SAP products utilize this component by default, thus making the effects of the SAP bug present on most SAP applications.
Jayant Shukla, CTO and Co-Founder of K2 Cyber Security, highlighted the risk associated with Java applications.
“Java-based web applications are among the most common on the internet today, and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10.”
He said the recently exposed vulnerability was particularly concerning because of the widespread use of Java framework in many business applications.
“This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.”
The RECON SAP bug exploits the HTTP interface in which most software products use to communicate with the Internet. The most critical aspect of the SAP bug is the ability of the attacker to create user accounts with maximum privileges and without the need for authentication. Consequently, anybody could hack SAP applications without requiring any technical knowledge or user account.
Additionally, the feature allows the intruder to override all system authorization controls, thus taking over full control of SAP business applications. Such privileges enable the attacker to access the transaction module and data within the system. Attackers could corrupt the data, change transaction details, such as the banking details, or administer purchasing processes.
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel says such privileges pose extreme risks to the integrity of business processes.
“ERP systems are the ‘keys to the kingdom’ for organizations. They can control orders, billing, inventory, and many other core business processes. Critical security issues in these systems expose organizations to devastating consequences should they be exploited by cybercriminals. Attackers could leverage this SAP vulnerability to bypass security controls to create themselves an SAP user account with the highest privileges in the system. Such a malicious user could disable checks and balances to place fraudulent orders or bills that could significantly disrupt business operations.”
The attacker could also completely shut down the system, perform unrestricted actions through OS command execution, or delete or modify traces, logs, and other files to cover their tracks. These low-level privileges originate from the ability of the hackers to exploit the SAP service user account, which can perform application maintenance tasks, according to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.
The researchers said they had not witnessed the exploitation of SAP bug in the wild. However, the risk posed by the SAP bug was severe because it requires no technical knowledge or SAP account, thus making it extremely easy for anyone to exploit.
Mitigating the RECON threat
SAP released an update that would help users patch their systems for the recently discovered SAP bug. The company released additional information for dealing with the vulnerability in security note 2934135. Because most internet-facing applications are at an elevated risk, disabling online accessibility could be the most effective defensive action to take immediately. However, for systems running on the local network, malicious employees could still exploit the vulnerability to defeat checks and balances and complete fraudulent transactions.