Threat actors targeting widely deployed, mission-critical SAP applications — exposing the networks of commercial and government organizations to attacks.
High Severity Attack
Critical vulnerabilities in unpatched SAP applications are being widely exploited by cyberattackers worldwide, researchers have warned.
On Tuesday, SAP and Onapsis released a report — threat actors carrying out a range of attacks including:
- theft of sensitive data
- financial fraud
- disruption of mission-critical business processes and other operational disruptions
- also delivery of ransomware and other malware
In addition, SAP software products provide powerful instruments for helping companies to manage their financials, logistics, human resources, and other business areas.
On the other hand, Onapsis researchers have recorded more than 300 successful exploit attempts on unprotected SAP instances, from mid-2020 until today.
However, An estimated 400,000 enterprise organizations worldwide uses SAP applications. The joint report says that enterprise resource planning, customer relationship management software, and supply chain systems — among others are targeted.
Six vulnerabilities reported as being actively exploited, they are:
- CVE-2020-6287 (aka RECON): a remotely exploitable pre-auth vulnerability that enables unauthenticated attackers to take over vulnerable SAP systems.
- CVE-2020-6207: maximum severity pre-auth vulnerability that could also lead to the takeover of unpatched SAP systems (fully-working exploit was released in January 2021, on GitHub).
However, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
- CVE-2018-2380: Allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing “traverse to parent directory” are passed through to the file APIs.
- CVE-2016-95: attackers can exploit this bug to trigger denial-of-service (DoS) states and gain unauthorized access to sensitive information.
- CVE-2016-3976: remote attackers can exploit it to escalate privileges and to read arbitrary files via directory traversal sequences, leading to unauthorized disclosure of information.
- CVE-2010-5326: A critical vulnerability caused by an authentication failure in the Invoker Servlet within SAP NetWeaver Application Server/JAVA platforms.
In addition, the report says that the window for patching is “significantly smaller than previously thought,” with some SAP vulnerabilities becoming weaponized in less than 72 hours after public disclosure.
The only main way to thwart these kinds of attacks is to patch the vulnerabilities.
Also, SAP-maintained cloud solutions are not affected by these vulnerabilities, according to the threat report.
In addition, SAP customers are advised to mitigate the risk:
- Immediately perform a compromise assessment on SAP applications — Priority on Internet-facing SAP applications
- Immediately apply the relevant SAP security patches and secure configurations
- Assess for the existence of misconfigured and/or unauthorized high-privilege users