Onapsis Research Labs Advisory: CISA Highlights SAP & Oracle vulnerabilities as Frequently Exploited Vulnerabilities in 2022
Yesterday, we saw the release of a new security advisory co-authored and jointly issued by the security agencies from the Five Eyes intelligence alliance, which the US Cybersecurity & Infrastructure Security Agency (CISA) issued under Advisory Alert Code AA23-215A. This advisory takes a long look at 2022 and offers a compelling list of the Common Vulnerabilities and Exposures (CVEs) that were most frequently and consistently exploited throughout last year. Unsurprisingly, for those that have been paying attention to the Onapsis Research Labs for a while now, ERP software vulnerabilities (for Oracle and SAP) made the hot list of 42 observed, frequently exploited vulnerabilities. What might be surprising is that this is the first time that SAP and Oracle vulnerabilities have officially made this list.
First, let’s note that all of these vulnerabilities have patches available, so the fact that all of them were prominent exploitation targets by threat actors tells us that organizations continue to struggle with patching critical enterprise technology in a timely manner. This aligns with continued research from Onapsis Research Labs (“ORL”) and other teams where the window of exposure for unpatched applications or systems generally runs around 90 – 100 days. Compare this to the amount of time it takes for a threat actor to go from patch to active exploit, which is 72 hours. (With Log4shell, ORL observed active exploits being used in less than 24 hours from notice!) The stark reality is that IT and InfoSec teams are tasked with supporting security for thousands of applications – all of which require frequent security updates. With finite budget, time, and resources, prioritization becomes important, and risk acceptance, arguably, becomes the norm.
Secondly, what’s interesting to note is how the majority of these most frequently exploited vulnerabilities actually didn’t originate IN 2022. Roughly 64% of them were reported and patched between 2017 and 2021. This means active and sophisticated threat actors are explicitly targeting older vulnerabilities with more frequency than newly discovered ones in 2022. While one could attribute that to a lack of patching or negligence, it’s also important to note that the attack surface for your IT landscape is dynamic. Risk you accepted as minimal in 2017 when you didn’t patch may have been more critical in 2022 (or today), especially when we consider the constant influx of new vulnerabilities that allow threat actors to exploit and chain less critical vulnerabilities with released vendor patches. One recent example of this is the P4CHAINS family of chainable vulnerabilities which ORL has been tracking over the past few months.
Here are the CVEs for the ERP security vulnerabilities mentioned in the report:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The two CVEs for Oracle allow for an on-network attack via HTTP to compromise and take over the Oracle WebLogic server. The difference between the two critical vulnerabilities lies in who can exploit the flaw – for one, the attack can be unauthenticated while the other is conducted via a highly privileged user.
This brings us to the lone SAP vulnerability in the list – ICMAD with a CVSS of 10.0. Originally discovered and reported by the Onapsis Research Labs, it was patched in February 2022 by our partners in the SAP Product Security Research Team. At the time, CISA also released an alert for ICMAD to encourage organizations to patch as rapidly as possible. Malicious actors can easily leverage this critical vulnerability in unprotected systems. The exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications. You can read more about ICMAD and its impact on our blog.
To this day, ORL continues to monitor repeated and frequent exploitation of this vulnerability across our global Threat Intelligence Cloud, the Onapsis Research Labs network of honeypots. More broadly, It’s worth noting that despite releasing in February 2022, over the span of less than a year, it was exploited continuously enough by threat actors to make CISA’s list of most frequently exploited vulnerabilities alongside more ubiquitous vendors such as Microsoft, VMware, and Fortinet. Sadly, with the “Return of ICMAD” in the most recent July 2023 SAP Patch Tuesday, this story of HTTP smuggling in critical SAP components is far from over.
Recommendations from Onapsis Research Labs
ORL highly recommends that organizations who are still vulnerable to attack should prioritize patching these vulnerabilities in their critical infrastructure and applications as soon as reasonably possible. For Onapsis customers seeking to mitigate these threats across your SAP or Oracle landscape, please refer to your Threat Intel Center or product dashboards for mitigation and remediation guidance.
In closing, this jointly issued security advisory reinforces the fact that ERP security is only as good as its last patch. Five years ago, it would be inconceivable that ERP vulnerabilities would be included in a list such as this. This speaks to the speed at which threat actors have become more sophisticated in their approaches and attacks, leveraging actual business-critical application flaws and exploits to directly attack the very same. This also underscores the need for high quality and timely threat intelligence from trusted, experienced sources as well as comprehensive technology to maintain, monitor, and defend your critical application and ERP landscapes from attack. Good threat intel and matching technology to facilitate response are hallmarks of a risk-driven approach not just to ERP security, but more broadly as well. It is also important to have a strong understanding of compliance and policy for your business and how this may impact those requirements, some of which may be driven by government regulation in your industry. Otherwise you could find your organization affected by the ongoing exploitation of these 42 vulnerabilities.