RECON SAP VULNERABILITY...SAP BW SAP S/4HANA SAP CRM SAP ERP SAP PI/PO Illustration 3: SAP Solution...
Transcript of RECON SAP VULNERABILITY...SAP BW SAP S/4HANA SAP CRM SAP ERP SAP PI/PO Illustration 3: SAP Solution...
R E C O N S A P V U L N E R A B I L I T Y
T H R E A T R E P O R T
M I T I G A T E A V U L N E R A B I L I T Y E X P O S I N G M I S S I O N - C R I T I C A L B U S I N E S S D A T A
2
THREAT REPORT | RECON SAP Vulnerability
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Affected Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Business Impact of RECON . . . . . . . . . . . . . . . . . . . . . . . 5
SAP Enterprise Portal . . . . . . . . . . . . . . . . . . . . . . . . 6
SAP Processes Integration . . . . . . . . . . . . . . . . . . . 7
SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . 8
How To Protect your Company . . . . . . . . . . . . . . . . . . . 9
Implementing the SAP Security Note . . . . . . . . . 9
The Onapsis Platform Coverage . . . . . . . . . . . . . . . . . . 9
Assess Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . 10
Defend Detection Rule . . . . . . . . . . . . . . . . . . . . . . 10
Cyber Risk Assessment . . . . . . . . . . . . . . . . . . . . . . 10
Reporting Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
T A B L E O F C O N T E N T S
3
THREAT REPORT | RECON SAP Vulnerability
E X E C U T I V E S U M M A R Y
In May 2020, the Onapsis Research Labs identified a serious vulnerability affecting a component included in many
SAP applications. Tagged with a CVSS score of 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and identified by CVE-2020-
6287, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability, resides in a default core application.
Since this vulnerability can be exploited by remote unauthenticated attackers, systems exposed to untrusted
networks such as the internet could be opportunistically targeted by attackers. The SAP Enterprise Portal stands out
as an example of a critical system typically connected to the internet that is exposed to this vulnerability, but other
business solutions such as SAP PI/XI, SAP CRM, SAP SCM and SAP S/4HANA Java are also affected.
Based on affected versions (see further details below), over 40,000 SAP customers may be affected by this
vulnerability. Onapsis estimates there are at least 2,500 vulnerable SAP systems directly exposed to the internet,
with 33% in North America, 29% in Europe and 27% in Asia-Pacific.
Following the Onapsis coordinated disclosure policy, Onapsis reported this vulnerability to SAP and closely worked
together with its Security Response Team to address it. SAP has released SAP HotNews Security Note #2934135
addressing this issue—prompting a U.S. Department of Homeland Security US-CERT Alert. Onapsis strongly
recommends that all SAP customers apply the patch immediately.
AS A RESULT OF THE POTENTIAL THREATS ASSOCIATED WITH THE RECON VULNERABILITY, THE GLOBAL ORGANIZATIONS HAVE ISSUED THESE ALERTS:
4
THREAT REPORT | RECON SAP Vulnerability
A F F E C T E D S Y S T E M S This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of the creation of this document).
All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions. This
means that a broad range of products could be impacted. These include, but are not limited to:
• SAP Enterprise Resource Planning (ERP)
• SAP Supply Chain Management (SCM)
• SAP CRM (Java Stack)
• SAP Enterprise Portal
• SAP HR Portal
• SAP Solution Manager (SolMan) 7.2
• SAP Landscape Management (SAP LaMa)
• SAP Process Integration/Orchestration (SAP PI/PO)
• SAP Supplier Relationship Management (SRM)
• SAP NetWeaver Mobile Infrastructure (MI)
• SAP NetWeaver Development Infrastructure (NWDI)
• SAP NetWeaver Composition Environment (CE)
Since SAP Solution Manager (SolMan) is affected and deployed in almost every SAP environment, it is a safe assumption that almost
every SAP customer running the Business Suite and S/4HANA has at least one system affected by this vulnerability.
5
THREAT REPORT | RECON SAP Vulnerability
B U S I N E S S I M P A C T O F R E C O N If an unauthenticated attacker is able to connect to the HTTP(S) service and perform a successful exploitation of the RECON
vulnerability, the impact could be critical in some situations. Technically speaking, an attacker would be able to create a new user in
the vulnerable SAP system with maximum privileges (Administrator role), bypassing all access and authorization controls (such as
segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected
SAP system, its underlying business data and processes.
Having administrative access to the system will allow the attacker to manage (read/modify/delete) every database record or file in
the system. Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability
also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-
Oxley) and privacy (GDPR) compliance.
Exploitation of the vulnerability allows an attacker to perform several malicious activities, including:
• Steal personally identifiable information (PII)
from employees, customers and suppliers
• Read, modify or delete financial records
• Change banking details (account number,
IBAN number, etc.)
• Administer purchasing processes
• Disrupt the operation of the system
by corrupting data or shutting it down
completely
• Perform unrestricted actions through
operating system command execution
• Delete or modify traces, logs and other files.
With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending
on the affected system. In particular, there are different SAP solutions running on top of NetWeaver Java which share a common
particularity: they are hyperconnected through APIs and interfaces. In other words, these applications are attached to other
systems, both internal and external, usually leveraging high-privileged trust relationships.
The way SAP applications are opened to the internet in the form of SAP Enterprise Portals, combined with integration technologies
such as SAP SolMan or SAP Process Integration, create an environment in which the exploitation of a CVSS 10 vulnerability can
ultimately lead to business data and PII being compromised.
The following sections will discuss in more detail some examples of widely-used SAP applications which share this pattern of API-
based hyperconnectivity and are affected by this vulnerability.
SAP SOLUTION MANAGER
S/4HANA JAVA ENTERPRISE PORTAL
NETWEAVER MOBILEINFRASTRUCTURE
LANDSCAPE MANAGEMENT
ENTERPRISE RESOURCEPLANNING
Illustration 1: The Hyperconnection Concept
6
THREAT REPORT | RECON SAP Vulnerability
SAP ENTERPRISE PORTALAccording to SAP, the SAP Enterprise Portal is “the comprehensive integration and application platform that facilitates the alignment
of people, information, and business processes across organizational and technical boundaries.”1 From a business point of view,
the SAP Enterprise Portal can be seen as a hub where information from the SAP ecosystem and also from third-party applications
collide. From a technical point of view, it’s a system that very often is deployed facing untrusted networks, such as the internet.
These two key points transform the SAP Enterprise Portal into an interesting and relatively easy target for attackers, as it is highly
interconnected and is reachable from the internet.
SAP Enterprise Portals provide an integrated entry point to HR processes, financial information and supply chain management
processes. Attackers being able to compromise these systems can ultimately cause a significant impact to organizations not only
from a pure data breach and risk perspective, but as we are talking about business processes, they are also subject to compliance
and regulatory requirements, as discussed below.
• Thousands of employee self-service portals are serving organizations, many of those directly connected to the internet,
where attackers can leverage RECON to exfiltrate employee records such as:
• Employee name and address
• Employee personal information
• Employee payroll and benefits information
• This type data breach has to be reported in the context of GDPR, CCPA or other related data privacy regulations.
Furthermore, this type of application can be targeted by threat actors looking to modify payroll bank accounts for
employees, leading to the deviation of funds through fake payroll payments.
• Organizations depend on SAP financial applications for corporate accounting, especially important for publicly-traded
organizations, where a significant deficiency or a material weakness can create a significant problem for organizations.
Attackers can leverage RECON to compromise SAP financial applications and ultimately modify records in the financial
systems. Any modification in vendor, bank account or suppliers’ data could lead to different types of fraud schemes
with the deviation of funds as well as the related implications in Sarbanes-Oxley reporting.
• Uptime of operations is king for the large enterprise sector, where SAP applications support the most critical business
processes such as manufacturing, supply chain, transportation management, logistics and operations. The RECON
vulnerability could be used by attackers to stop operations and put organizations into a halt, with significant financial,
compliance and reputational consequences.
1 https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/8c/fccbc11ae344b0a64238d49c87597f/content.htm
7
THREAT REPORT | RECON SAP Vulnerability
SAP PROCESS INTEGRATIONThe SAP Process Integration (PI) module is a part of the SAP NetWeaver platform that facilitates the communication and integration
of business processes, with both SAP and non-SAP systems. It provides a single point of interaction to exchange information
between the different components such as Sales & Distribution (SD), Finance & Cost Controlling (FICO), Extended Warehouse
Management (EWM) and Customer Relationship Management (CRM), among others.
In spite of applying a secure configuration for the SAP PI module, an attacker could acquire high privileges acquired by exploiting the
RECON vulnerability to display, change or delete sensitive data from any of the modules connected to the SAP PI—disrupting critical
integrations with strategic business partners and essential processes. Given that the attacker could get administrator privileges
in the SAP PI module, it could be strategically used as a pivot to get sensitive information from several modules such as the ones
mentioned before.
SAP SD
SAP PI MiddlewareSAP FICO SAP CRM
SAP EWM
Illustration 2: The SAP Process Integration Module
8
THREAT REPORT | RECON SAP Vulnerability
SAP SOLUTION MANAGERSAP SolMan aims to centralize the management of all SAP and non-SAP systems that are within an organization’s landscape. As an
administration solution, it performs actions such as implementation, support, monitoring and maintenance of the SAP enterprise
applications and systems.
Being a technical system, SolMan does not hold business data. However, it could act as the main door for a more in-depth attack
which could potentially involve the compromise of business information. Due to its nature of centralizing management, SolMan is
connected to every SAP system inside the landscape. These systems are also known as satellite systems.
If an attacker is able to compromise SolMan, they will be able to abuse established trust relationships and pivot to any satellite
system. Trusted relationships between SolMan and its connected systems are commonly configured to be highly privileged,
becoming an interesting vector from the attacker’s point of view to gain further access to business data stored in satellite systems.
SAPSolMan
SAPHR
SAPBO
SAPSRM
SAPBW
SAPS/4HANA
SAPCRM
SAPERP
SAPPI/PO
Illustration 3: SAP Solution Manager Centralizes Management to All SAP Systems
9
THREAT REPORT | RECON SAP Vulnerability
H O W T O P R O T E C T Y O U R C O M P A N Y
Implementing the SAP Security Note
SAP has released Security Note #2934135 on July 14th, 2020 addressing this issue. SAP customers should implement it immediately.
THE ONAPSIS PLATFORM COVERAGEThe Onapsis Platform is SAP-certified and is the only solution in the market to combine a preventative, behavioral-based and
context-aware approach for detecting, identifying and mitigating security risks, compliance gaps and cyberattacks on mission-critical
applications. The Onapsis Platform automates testing, change, audit and security processes so cross-functional teams can focus
on improving SAP availability and performance, accelerating cloud migrations and S/4HANA implementations, streamlining audit
processes and hardening security on-premises and in the cloud.
To help protect SAP customers from threats on the RECON vulnerability, The Onapsis Platform includes automated assessment,
detection rules and alarms to continuously monitor malicious activity targeting this specific vulnerability and many others.
ASSESS CAPABILITIESUsing the Assess module of The Onapsis Platform, Onapsis customers can automatically run a full assessment of their SAP
landscape and analyze whether the RECON is present in their SAP systems to streamline remediation and mitigate the risk.
DEFEND DETECTION CAPABILITIESOnapsis customers using the Defend module of The Onapsis Platform have a detection capability in place to continuously monitor
for malicious activity and receive alarms to prevent attacks abusing the RECON vulnerability.
PERFORM AN SAP CYBER RISK ASSESSMENT TODAY
For SAP customers not using The Onapsis Platform, Onapsis offers a complimentary Cyber Risk
Assessment to help identify if this vulnerability (and others) is present in their SAP systems.
Request a Cyber Risk Assessment at www.onapsis.com/request-an-assessment/cyber-risk.
10
THREAT REPORT | RECON SAP Vulnerability
R E P O R T I N G T I M E L I N E
C O N C L U S I O N
Vulnerabilities such as RECON are not often seen, but these types of security issues compensate for their rareness with business
and compliance impact. As explained in this threat report, an attacker leveraging this vulnerability will have unrestricted access to
critical business information and processes in a variety of different scenarios. Based on how widespread this vulnerability is across
SAP products, most SAP customers will likely be impacted. Onapsis has been working closely with the SAP Security Response Team
to report and fix this vulnerability with the patch being released in the July 2020 SAP Security Notes.
It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected. Continuous
monitoring of SAP systems and the automated assessment of security configurations is imperative to ensure that mission-critical
information and processes remain secure.
LEARN MORE ABOUT THE RECON VULNERABILITY https://www.onapsis.com/recon-sap-cyber-security-vulnerability
05/27/2020
05/27/2020
06/05/2020
06/08/2020
06/10/2020
07/14/2020
07/14/2020
Onapsis provides vulnerability details to SAP
SAP acknowledges receipt of vulnerability details and provides internal case number
SAP confirms the vulnerability and that their team started to work on the fix
SAP provides an update regarding fix status and confirms CVSS score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Onapsis releases Advanced Threat Protection capabilities in The Onapsis Platform
SAP releases patch for the security vulnerability in SAP Security Note #2934135
Onapsis issues RECON vulnerability threat report
L E A R N M O R E
THREAT REPORT | RECON SAP Vulnerability
ABOUT ONAPSIS
Onapsis protects the mission-critical applications that power the global economy, including ERP, CRM, PLM, HCM, SCM and BI from SAP®, Oracle® and
leading cloud vendors. Onapsis works with over 300 global brands and partners with leading consulting and audit firms such as Accenture, IBM and
Deloitte. Learn more at https://www.onapsis.com.
©️2020 Onapsis Inc. All Rights Reserved.
T H R E A T R E P O R T
R E C O N S A P V U L N E R A B I L I T YM I T I G A T E A V U L N E R A B I L I T Y E X P O S I N G M I S S I O N - C R I T I C A L B U S I N E S S D A T A