Researchers have warned that critical vulnerabilities in SAP applications are widely exploited by cyber attackers.
On Tuesday, SAP and Onapsis jointly published a report on these activities, indicating that security vulnerabilities with CVSS severity scores of up to 10, the highest possible, are being used by attackers.
SAP applications are used by approximately 400,000 companies around the world. Although SAP is not aware of any direct breaches related to its customers as a result of these activities, the vendor and Onapsis claim that at least 1,500 attempted attacks related to SAP applications were identified between June 2020 and March 2021, and that at least 300 were successful.
The report says ERP, customer relationship management software, and supply chain systems, among others, are included.
SAP releases security patches for its products on a monthly basis, alongside organizations such as Microsoft and Adobe.
However, the report states that the critical bugs exploited are not fixed by customers and that in some cases vulnerable and exposed SAP applications on the internet are riddled with bugs that have not been fixed for months or even years. .
Six vulnerabilities, in particular, are mentioned in the report as being actively exploited:
CVE-2020-6287: CVSS: 10
Also known as RECON, this remotely exploitable bug in SAP NetWeaver / Java is caused by a failed authentication check. No privileges are required and, once exploited, this vulnerability allows the creation of administrator accounts and the complete compromise of the system.
A patch was released on July 14, 2020, but Onapsis reports that attacks using this bug continue today.
CVE-2020-6207: CVSS 10
Affecting version 7.2 of SAP Solution Manager (SolMan), this critical flaw allows attackers to gain complete control over an organization’s SAP configuration hub.
A proof of concept (PoC) code has been released for this security vulnerability following a patch released by SAP on March 10, 2020. Exploitation attempts have “increased significantly” since the release of the code. PoC operation functional.
CVE-2018-2380: CVSS 6.6
This old vulnerability affects the vendor’s SAP NetWeaver-based CRM solution and can be triggered to elevate privilege and execute commands, potentially allowing lateral movement across a corporate network. A fix was released on March 1, 2018.
CVE-2016-9563: CVSS 6.4
Corrected in August 2016, this vulnerability affects a component of SAP NetWeaver / JAVA version 7.5, leading to remote authenticated – but low privilege – attacks.
CVE-2016-3976: CVSS 7.5
Also present in SAP NetWeaver / JAVA, this security flaw, corrected in March 2016, allows remote attackers to read arbitrary files via directory traversal sequences, leading to information leaks and potentially elevation of privilege. if they are able to access the right resources.
CVE-2010-5326: CVSS 10
A critical vulnerability caused by an authentication failure in the Invoker servlet within the SAP NetWeaver Application Server / JAVA platforms. The security flaw allows attackers to take full control of SAP business processes. In 2016, the US Department of Homeland Security (DHS) issued an alert on the active exploitation of this bug, which continues to this day.
Additionally, the report states that the window for patching is “considerably smaller than previously thought”, some SAP vulnerabilities are used by attackers within 72 hours of disclosure.
“The observed exploitation could lead in many cases to a complete compromise of the unsecured SAP application, bypassing common security and compliance controls, and allowing attackers to steal sensitive information, carry out financial fraud. or disrupt critical business processes by deploying ransomware or blocking operations, ”the companies say. “These threats can also impact regulatory compliance for organizations that have failed to properly secure their SAP applications handling regulated data.”