In 1993’s Groundhog Day, Phil Connors gets stuck in an endless loop where he repeats the same day over and over again. Vulnerability management processes, like patch management, can sometimes feel like a repetitive loop if organizations don’t have the proper solutions and strategies in place. Some of Onapsis’ most popular blogs continue to be ones about vulnerabilities that have been found, and had patches released months, or even years, ago. So the challenge for organizations continues to be: how to identify vulnerabilities, prioritize patches, and prevent cyberattacks targeting critical data and systems. Given the frequency of releases, complexity of the patching process, and size of application landscapes, organizations face a growing backlog of patches and often don’t have tools to assist with prioritization. These organizations are stuck in a continuous loop of relying on manual efforts to identify which systems are missing which patches, which missing patches to prioritize, and whether or not patches were applied. The good news is, with the right tools and processes, it's possible to get out of this loop.
Keeping Up With Patch Management Is a Challenge
In recent attacks by threat group Elephant Beetle, two older vulnerabilities — SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326) and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963) — are still being targeting by attackers. CVE-2010-5326 was the very first US-CERT alert pertaining to SAP cybersecurity back in 2016. And that US-CERT alert, while initiated in 2016, was referring to a patched vulnerability from five years earlier. Both of these vulnerabilities also have existing patches. Onapsis Research Labs’ Threat Intelligence Cloud analyzed activity related to the two SAP NetWeaver Java vulnerabilities and found over 350 exploitation attempts since January 2020. Older, unpatched vulnerabilities continue to be exploited by threat actors and will continue to be a problem for organizations that don’t have the right tools to identify, prioritize, and remediate.
According to a Ponemon Institute report, 60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied. Recent headlines about a ransomware attack at a utilities company related to the RECON vulnerability was first disclosed by Onapsis Research Labs in July 2020. Patching applications and vulnerability management can be challenging and time-consuming (though it doesn’t have to be), but just because a vulnerability is old, doesn’t mean that it doesn’t still pose a risk to your organization. You can bet sophisticated, methodical threat actors will find a way to exploit it, if given the opportunity.
The Importance of Patch Management
Analyzing complex security notes and then prioritizing and implementing patches is challenging, especially for enterprises running multiple business-critical applications and systems. Manually managing patch implementation is a time-consuming and error-prone process. There isn’t an easy way to identify which systems are missing patches, or to prioritize patches and systems accordingly, which often leads either to a rushed process or one of deprioritization. This results in a growing backlog of patches. However, it’s important to patch promptly because threat actors are also keeping an eye on patch releases. Research from SAP, CISA, and Onapsis found critical SAP vulnerabilities being weaponized less than 72 hours after the patch was released. However, the patch gap from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days1.
Prioritizing Vulnerability Management
These old vulnerabilities have shown us that organizations need to strengthen their business-critical application security processes with the right vulnerability management and patch management processes to make it significantly harder for threat actors to perform an initial compromise. A vulnerability management solution that targets the application layer can identify which systems are missing patches, validate that the patches are applied correctly and completely, and enable organizations to prioritize patching based on severity and impact. With the right tools and processes in place, organizations minimize the risk of critical vulnerabilities, protect their most important business assets, and stop the Groundhog Day cycle of repetitive manual efforts.
For more on vulnerability management and business-critical applications, read our related paper. To identify your organization’s current risk exposure, get in touch with an Onapsis security expert at www.onapsis.com/request-an-assessment/cyber-risk.
Further Reading: Threat Intelligence from Onapsis Research Labs
- 10K Blaze: In April 2019, several new exploits targeting SAP applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. These exploits could affect 9 out of 10 SAP systems; we recommend organizations review and apply all relevant SAP Security Notes.
- RECON Vulnerability: The Onapsis Research Labs and SAP worked together in late 2020 to uncover and mitigate the serious RECON vulnerability. The RECON vulnerability affects a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, and a successful exploit could give an unauthenticated attacker full access to the affected SAP system
- Active Cyberattacks on Business-Critical SAP Applications: In April 2021, we released joint threat intelligence with SAP and the first public report from Onapsis Threat Intelligence Cloud. Not only has the threat landscape grown in recent years, but threat actors have gotten more sophisticated, using well-known exploits, and are acting quickly. The window for defenders has gotten increasingly smaller.
- Monthly SAP Security Notes: Onapsis Research Labs regularly contributes to SAP Security Notes and releases our analysis every Patch Tuesday.