The Onapsis Research Labs continuously monitors the evolving threat landscape in order to better understand what is being used to target business applications like SAP and Oracle. Our in-depth analysis allows the Onapsis Research Labs to more rapidly identify new threats, activities, and vulnerabilities as well as changes in behavior that elevate the risk to the business-critical applications. This intelligence is vital in helping organizations more efficiently prioritize their efforts and respond more effectively to the latest vulnerabilities.
Recently, our research has detected exploitation activity related to three vulnerabilities that were already patched by SAP - CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388. What is interesting to consider for these three vulnerabilities are a few factors:
- Two out of three of these CVEs have critical CVSS ratings
- Most of these CVEs have publicly available PoCs and exploits
- Most of these CVEs are remotely exploitable and through HTTP(s) protocols
Fortunately, CISA maintains a Catalog of Known Exploited Vulnerabilities that has proven to be extremely helpful to organizations to prioritize patching efforts. Established as a part of BOD-21, this catalog maintains a list of vulnerabilities, identified by their CVE, that are determined by CISA to warrant inclusion based on reliable evidence that there is current and active exploitation evidence on public or private organizations by threat actors. To merit inclusion in this catalog, vulnerabilities need to have an assigned CVE record, have evidence of active exploitation, and have clear remediation guidance (e.g., SAP Security Notes, Microsoft patches). Since its creation in November 2021, CISA has included six vulnerabilities affecting unprotected, unpatched SAP Applications for which there has been evidence of active exploitation.
Today, CISA has updated this Catalog of Known Exploited Vulnerabilities with these three aforementioned vulnerabilities.
On a positive note, by its inclusion in the catalog, it means that there is clear remediation guidance for these vulnerabilities from 2016 and 2021. To aid in these efforts, SAP released SAP Security Notes for all of these vulnerabilities. If you are an SAP customer, you can access information about these patches here:
- For CVE-2016-2386, refer to SAP Security Note 2101079
- For CVE-2016-2388, refer to SAP Security Note 2256846
- For CVE-2021-38163, refer to SAP Security Note 3084487
Threat actors can and will use anything and everything that is available to them to achieve their goals of compromising business applications, which now often includes direct attacks on these business-critical applications themselves. SAP, CISA, and Onapsis published threat intelligence documenting this growing knowledge and exploitation activity around older vulnerabilities for unpatched, unprotected SAP systems. Today’s inclusion of these three older SAP vulnerabilities demonstrates that this trend continues. It’s important to ensure that your critical systems have these SAP Security Notes effectively applied.
Finally, the Onapsis Research Labs recommends that a security program should continually evaluate overall risk rather than reactively addressing critical vulnerabilities when alerted to new CVEs. It’s important for an organization to quickly respond to vulnerabilities and exploits (and mitigate or patch accordingly), but incorporating the ability to better ascertain your security posture across your entire business application landscape (e.g., visibility into misauthorizations, elevated privileges, misconfigurations, anomalous behavior) and prevent the introduction of new vulnerabilities in your ERP environments from new custom code are extremely important in minimizing risk.
We encourage organizations running business-critical applications such as SAP and Oracle to ensure the right processes are in place to better address risk. With over a decade of threat research expertise, Onapsis can help with deep visibility and automation capabilities to build and incorporate the right processes into your existing security programs to help reduce overall risk. Contact an expert today for more information.