Onapsis and SAP Collaborate to Protect SAP Customers from RECON Vulnerability

In May 2020, the Onapsis Research Labs identified a serious vulnerability affecting a component included in many SAP applications. Tagged with a CVSS Score of 10, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability, resides in a default core application. Since this vulnerability can be exploited by remote unauthenticated attackers, systems exposed to untrusted networks such as the internet could be opportunistically targeted by attackers.

Based on affected versions, Onapsis estimates that over 40,000 SAP systems may be affected by this vulnerability. Onapsis estimates there are at least 2,500 vulnerable SAP systems directly exposed to the internet, with 45% in North America, 12% in Europe and 30% in Asia-Pacific.

Following the Onapsis coordinated disclosure policy, Onapsis reported this vulnerability to SAP and closely worked together with its Security Response Team to address it. SAP has released SAP HotNews Security Note #2934135 addressing this issue.

Vulnerabilities such as RECON are not often seen, but these types of security issues compensate for their rareness with business and compliance impact. As explained in this threat report, an attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios. Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted. Onapsis has been working closely with the SAP Security Response Team to report and fix this vulnerability with the patch being released in the July 2020 SAP Security Notes.

It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected. Continuous monitoring of SAP systems and the automated assessment of security configurations is imperative to ensure that mission-critical information and processes are secure.

The Onapsis Research Labs and the SAP Security Response Team worked together to patch the RECON vulnerability in record time. Identified as HotNews SAP Security Note #2934135 in the July 2020 SAP Security Notes release, the RECON vulnerability has a CVSS score of 10 out of 10 (the most severe) and can potentially be exploited impacting the confidentiality, integrity and availability of mission-critical SAP applications.

This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50. All Support Packages tested by the Onapsis Research Labs to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions. This means that a broad range of products could be impacted for more than 40,000 SAP customers.

Affected SAP solutions include, but are not limited to:

• SAP Enterprise Resource Planning (ERP)
• SAP Supply Chain Management (SCM)
• SAP CRM (Java Stack)
• SAP Enterprise Portal
• SAP HR Portal
• SAP Solution Manager (SolMan) 7.2
• SAP Landscape Management (SAP LaMa)
• SAP Process Integration/Orchestration (SAP PI/PO)
• SAP Supplier Relationship Management (SRM)
• SAP NetWeaver Mobile Infrastructure (MI)
• SAP NetWeaver Development Infrastructure (NWDI)
• SAP NetWeaver Composition Environment (CE)

Since SAP SolMan is affected and deployed in almost every SAP environment, it is a safe assumption that almost every SAP customer has at least one system affected by this vulnerability.

Absolutely. Malicious threat actors do not need these systems to be exposed to the internet or in the cloud to attack them, as they can typically gain access to the network “behind the firewall” through spear-phishing and other attacks.

Once inside the network, it is very common to find that SAP applications like the ones affected by RECON are accessible to satisfy business use cases. In this case, as an attacker would not even need to have a valid user id in the target SAP application, it is very likely that they could successfully compromise them if not patched.

Furthermore, most large organizations have already realized that their “internal network” is not controlled as it used to be, as today VPNs, BYOD, outsourced contractors and many other variables create an environment where it is not possible to trust the connected devices.

If an unauthenticated attacker is able to connect to the HTTP(S) service and perform a successful exploitation of the RECON vulnerability, the impact could be critical in some situations. Technically speaking, an attacker would be able to create a new user in the vulnerable SAP system with maximum privileges (Administrator role), bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected SAP system, its underlying business data and processes.

Having administrative access to the system will allow the attacker to manage (read/modify/delete) every record/file/report in the system. Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance. Exploitation of the vulnerability allows an attacker to perform several malicious activities, including:

• Steal personally identifiable information (PII) from employees, customers and suppliers
• Read, modify or delete financial records
• Change banking details (account number, IBAN number, etc.)
• Administer purchasing processes
• Disrupt the operation of the system by corrupting data or shutting it down completely
• Perform unrestricted actions through operating system command execution
• Delete or modify traces, logs and other files.

With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system. In particular, there are different SAP solutions running on top of NetWeaver Java which share a common particularity: they are hyper-connected through APIs and interfaces. In other words, these applications are attached to other systems, both internal and external, usually leveraging high-privileged trust relationships.

Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, given the potential compliance implications of this type of deficiencies on business-critical systems, your Internal Audit team and the Head of Compliance and Audit should assess this risk.

Unfortunately, this vulnerability cannot be detected by any solution performing GRC or segregation of duties (SoD) controls for SAP. Because these attacks would be unauthenticated requiring no user credentials or passwords, attackers can easily bypass any existing SoD controls.

Unfortunately, the RECON vulnerability is not under the general scope of IT General Controls (ITGC). Even in a scenario where ITGCs have a satisfactory state in your SAP environment, the presence of this risk could equal the combination of several ITGCs deficiencies. Based on our experience, the associated risks with vulnerabilities such as RECON are usually not included in traditional audits. We encourage internal and external auditors to include a risk assessment of the RECON vulnerability as part of your ITGC audits for SAP systems.

If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorization controls (such as segregation of duties, identity management and GRC solutions) and gaining full control of SAP systems. The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees and customers, which drastically increases the likelihood of remote attacks.

Onapsis has no evidence of the RECON vulnerability being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that any unpatched SAP system can be vulnerable to attacks. In fact, as most organizations are not able to detect the exploitation of these vulnerabilities, a system compromise may go undetected.