Researchers have warned that critical vulnerabilities in unpatched SAP applications are being widely exploited by cyberattackers worldwide.
On Tuesday, SAP and Onapsis jointly released a report on the activities, in which security flaws with CVSS severity scores of up to 10, the highest possible, are being weaponized.
SAP applications are used by an estimated 400,000 enterprise organizations worldwide. While SAP is not aware of any direct customer-related breaches due to these activities, both the vendor and Onapsis say that there were at least 1,500 SAP application-related attack attempts tracked between June 2020 and March 2021, and at least 300 were successful.
The joint report says that enterprise resource planning, customer relationship management software, and supply chain systems — among others — are being targeted.
SAP issues security fixes for its products on a monthly basis, alongside organizations including Microsoft and Adobe.
However, the companies say that the critical issues being exploited are not being fixed by customers — and in some cases, vulnerable, internet-facing SAP applications are laden with bugs that remained unpatched for months, or even years.
Six vulnerabilities, in particular, are noted in the report as being actively exploited:
CVE-2020-6287: CVSS: 10
Also known as RECON, this remotely exploitable bug in SAP NetWeaver/Java was caused by a failed authentication check. No privileges are required and upon exploit, this vulnerability leads to the creation of admin accounts and full system hijacking.
A patch was issued on July 14, 2020, but Onapsis says attack activity utilizing this bug continues today.
CVE-2020-6207: CVSS 10
Impacting SAP Solution Manager (SolMan) version 7.2, this critical flaw permits attackers to obtain full administrative control over the hub of an organization’s SAP setup.
Proof-of-Concept (PoC) code was released for the security flaw following a patch issued by SAP on March 10, 2020. Exploit attempts have “increased significantly” since the release of the working PoC exploit code.
CVE-2018-2380: CVSS 6.6
This older vulnerability impacts the vendor’s SAP NetWeaver-based CRM solution and can be triggered to perform privilege escalation and to execute commands, eventually allowing for lateral movement through a corporate network. A patch was released on March 1, 2018.
CVE-2016-9563: CVSS 6.4
Patched in August 2016, this vulnerability impacts a component in SAP NetWeaver/JAVA version 7.5, leading to remote — but low-privilege — authenticated attacks.
CVE-2016-3976: CVSS 7.5
Also found in SAP NetWeaver/JAVA, this security flaw, patched in March 2016, permits remote attackers to read arbitrary files via directory traversal sequences, leading to information leaks and potentially privilege escalation if they are able to access the right resources.
CVE-2010-5326: CVSS 10
A critical vulnerability caused by an authentication failure in the Invoker Servlet within SAP NetWeaver Application Server/JAVA platforms. The security flaw allows attackers to gain full control of SAP business processes. In 2016, the US Department of Homeland Security (DHS) issued an alert on the active exploit of this bug, which continues to this day.
In addition, the report says that the window for patching is “significantly smaller than previously thought,” with some SAP vulnerabilities becoming weaponized in less than 72 hours after public disclosure.
“Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” the companies say. “These threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data.”
CISA has also issued an alert on these activities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0