Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations.
A study that Onapsis conducted last year, in collaboration with SAP, found attackers are continuously targeting vulnerabilities in a wide range of SAP applications including ERP, supply chain management, product life cycle management and customer relationship management. Active scanning for SAP ports has increased since 2020 among attackers looking to exploit known vulnerabilities, particularly a handful of highly critical CVEs.
The study showed that often attackers have proof-of-concept code for newly disclosed vulnerabilities in as little as 24 hours after initial disclosure. and fully working exploits for them in under three days. Onapsis observed attackers finding and attacking brand new cloud-hosted SAP systems in barely three hours.
Yet, many organizations are continuing to leave SAP applications unpatched or are failing to apply recommended updates for months—and sometimes even years—because of concerns over business disruption and application breakages. A Pathlock sponsored report earlier this year, that was based on a survey of 346 members of the SAPinsider user community, showed 47% of respondents ranking patching as their biggest challenge behind only threat detection.
"With known SAP vulnerabilities totaling 1,143, organizations continue to struggle with prioritizing which of these presents the greatest risk to their specific environment," says Piyush Pandey, CEO of Pathlock. "There must be a shift in mindset to factor in risk levels that allow for immediate mitigations of the most pressing threats," he says.
The security of custom code ranked as the next biggest concern after patching, with 40% identifying it as an issue. The Pathlock survey found many organizations have dozens or even hundreds of SAP systems in place making patching difficult and time consuming, especially because they are trying to avoid disruptions and app breakages.
The trend has left many organizations exposed to attacks that could result in data theft, financial fraud, mission-critical application outages, system outages and other negative consequences. "SAP systems are high-value targets for hackers, as they are at the core of mission-critical business operations and contain large amounts of sensitive and confidential data," says Saeed Abbasi, principal security engineer at Qualys. "Successful attacks can result in devastating impact and disruption."
Here are the mostly commonly targeted vulnerabilities in SAP application environments.
Unpatched SAP vulnerabilities
Like all software vendors, SAP publishes regular updates to address new vulnerabilities and other security risks in its applications. So far this year, SAP has disclosed 196 SAP Security Notes containing such updates, which is already more than the total of 185 the company disclosed all last year. At least some of the increase appears to have to do with a greater than usual number of patches that SAP had to issue in January because of the Log4Shell vulnerability in the Apache Log4j logging framework.
Many of these vulnerabilities are critical and enable attackers to do several things such as gaining application or OS level access, escalating privileges, or executing cross-system compromise, the study showed.
"Just open any vulnerability database and you will see 50-plus exact SAP vulnerabilities with a CVSS score greater than 9," says Ivan Mans, CTO, and co-founder of SecurityBridge. So far this year, there have been 17 critical SAP Notes with a severity greater than 9.8, which is close to the maximum rating of 10 he says. "What we assumed was secure last year may no longer be secure today."
Onapsis and SAP found six of vulnerabilities that attackers have been targeting heavily over the years: CVE-2020-6287; CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976 and CVE-2010-5326. All have exploits publicly available, typically on GitHub.
JP Perez-Etchegoyen, CTO of Onapsis, ranked two of the vulnerabilities on that list as among the three most critical vulnerabilities in SAP applications: CVE-2020-6287 and CVE-2010-5326. Another vulnerability that he considers highly critical is one that SAP disclosed this year: CVE-2022-22536.
- CVE-2020-6287, also known as RECON, is a critical vulnerability in SAP NetWeaver Application Server Java that allows a remote unauthenticated attacker to take complete control of affected SAP applications. The threat the flaw poses—which includes letting the attacker create an administrative account with the highest privileges—prompted CISA to issue an advisory "strongly" recommending immediate patching, when SAP first disclosed the bug.
- CVE-2010-5326 is a vulnerability in the Invoker Servlet function in SAP NetWeaver Application Server first disclosed (and patched) in 2010. The flaw enables unauthenticated threat actors to execute OS-level commands and take over applications and the underlying database. SAP patched the vulnerability in 2010 but exploit activity targeting the flaw continues even now because many systems remain unpatched against the threat.
- CVE-2022-22536 or the ICMAD flaw is a critical request smuggling and request concatenation vulnerability in SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, and other products. It allows an unauthenticated remote attacker to completely take over affected systems.
Of the four remaining vulnerabilities:
- CVE-2018-2380 is a medium severity insufficient validation vulnerability in multiple SAP CRM versions that attackers are actively using to drop SAP web shells for OS command injections.
- CVE-2020-6207 is an authentication related flaw that attackers are using in cross-system compromises.
- CVE-2016-9563 is a 2016 flaw that impacts an SAP NetWeaver AS JAVA 7.5 component. It is one of the vulnerabilities that attackers are chaining with the RECON flaw to escalate privileges on the operating system of SAP servers.
- CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that attackers are using to exfiltrate credentials from SAP NetWeaver servers, among other things.
"A good way to understand the most critical vulnerabilities is to measure them, not only by (the Common Vulnerability Scoring System metric) but also by how exploited they are," Perez-Etchegoyen says. For that he recommends that organizations keep track of CISA's Known Exploited Vulnerabilities Catalog. Currently, ten vulnerabilities that affect SAP are in that catalog. "All of those ten have been and are being exploited to compromise SAP Applications," he says.
SAP configuration errors
The thousands of different ways in which SAP application settings can be configured—and changed to meet new requirements—often results in organizations setting up their SAP environments in a vulnerable manner. The difference between security issues related with a patch and a configuration is that in most cases when a patch is applied the risk is gone, Perez-Etchegoyen says. Configurations on the other hand keep changing, he says.
The most common SAP configuration problems include poorly configured access control lists (ACLs) and the use of weak, default or well-known username and password combinations.
Mans from SecurityBridge also points to issues like outdated or badly configured SAPRouter, SAP Web Dispatcher, Internet Communication Manager and SAP Gateway technologies as presenting problems for enterprise organizations. Other configuration related issues include publicly exposed services which can be accessed without even requiring authentication, unprotected or insufficiently secured access to administration services and unencrypted communication.
The Onapsis/SAP study showed that though SAP has provided detailed guidance on how to protect access to privileged accounts, many organizations are running SAP applications where highly privileged accounts are configured with default or weak passwords. The study found attackers frequently using brute-force attacks to break into SAP*, SAPCPIC, TMSADM and CTB_ADMIN accounts.
A set of exploits collectively referred to as 10KBlaze that was publicly released in 2019 hammered home the risk that organizations face from insecure configurations. The exploits targeted common misconfigurations in SAP Gateway and SAP Message Server and put an estimated 90% of SAP applications at over 50,000 organizations worldwide at risk of complete compromise.
Vulnerabilities in custom SAP code
Many organizations routinely develop extensive custom code for their SAP applications to customize them or to meet compliance requirements and for other reasons. "Organizations often customize SAP to meet specific business needs," Pandey from Pathlock says. "Examples include custom layouts and tables." This custom code should be regularly reviewed for flaws that could expose the SAP system to attack or misuse he says.
Perez-Etchegoyen identifies some of the most critical ones include injection flaws in ABAP commands, OS commands the OSQL utility as those imply a full system compromise. "There are many others that could also be abused to cause a significant impact to the business but in general the injection flaws tend to lead to a more critical impact," he says.
SAP identifies some other issues as well that can creep into custom code and put SAP applications at risk. These include potential URL redirect issues, missing content check during HTTP uploads, read access to sensitive and write access to sensitive data in databases.
Vulnerabilities in open-source and third-party code that a development team might use when writing custom code are another issue. As one example, Mans points to the Log4Shell vulnerability in Log4j. "Even though it’s not immediately an SAP vulnerability, SAP applications or custom applications run on SAP many be affected and require an update," he says.
The bottom-line is that security vulnerabilities in SAP can take many shapes, Pandey says. "They occur on the vendor side, but there is also a responsibility of the customer themselves to ensure they've configured and customized the deployment to enable security."
Organizations need to understand that risks to the SAP environment can come from both external actors and insiders, Perez-Etchegoyen says. "There are multiple critical risks in each area and the main difference amongst them is that the vulnerabilities in the software [and] configurations, are well known by threat actors and are currently being used to compromise SAP applications by outside threat actors."
"On the flipside, vulnerabilities in custom code, while supercritical and popping up in way higher volumes than the other two, are typically a risk that is more exposed to the insider threat as these are often exploitable with a user and a certain level of access," Perez-Etchegoven warns.