Back in May 2020, a vulnerability in SAP NetWeaver AS JAVA was discovered by the Onapsis Research Labs and disclosed to SAP on May 27. The vulnerability, dubbed “RECON” (Remotely Exploitable Code on NetWeaver), clocked in with a CVSS score of 10.0 meaning it was both high severity and easily exploited. SAP released patches for RECON on Monday, July 13 for RECON and the U.S. Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Agency (CISA) issued a US-CERT alert followed by other global organizations providing warnings about potential threats associated with this vulnerability.
Just a few days following the release of patches, proof-of-concepts (POCs) for vulnerabilities started showing up from security researchers. The POCs could be used to identify systems vulnerable to RECON. Potentially bad actors leveraged these POCs to carry out mass scans looking for potential targets and to take advantage of bug bounty programs. Ten days after patches were published, a fully working exploit proof-of-concept was released as part of Rapid7’s Metasploit Framework, amplifying the threat on any SAP systems not patched for the RECON vulnerability.
It’s tempting to tie the buzz of news stories, alerts and “tweets” around a vulnerability to trends in exploit activity, but it’s important to distinguish between the two of these. The bulk of reports are around the vulnerability itself with reports on proof-of-concepts coming in a close second. Once the fully working exploit was released, the only new stories would be around active exploits. The trick is we only hear about a successful attack, if it even gets disclosed by the attacker or victim in the first place.
So while we see a drop-off in news-related activity, the threat posed to an unpatched system remains high. Since the disclosure of a working exploit, we’ve witnessed active attacks and compromise of these systems. The noise may have dropped, but the activity and the threat remain high.
The RECON vulnerability received much attention due to its high severity, but how many SAP vulnerabilities have gone unnoticed due to receiving less attention? What are the potential consequences of this?
The first half of 2020 saw a total of 123 SAP vulnerabilities. That alone is significant. Of those vulnerabilities, over 10% scored a CVSS 9.0 or greater. While a CVSS 10 vulnerability alone can lead to full compromise of a system, a set of lower-scoring vulnerabilities could be chained together to achieve a similar outcome, leading to a loss of confidentiality, integrity, and/or availability. Given the number of SAP vulnerabilities out there this year alone, it is crucial not to ignore vulnerabilities, even when they are identified as lower risk.
So we know RECON has gone from disclosure to full exploitation if systems were not properly patched, but how can you tell if your SAP systems are still vulnerable? Are there steps to take even if you’ve already patched?
To help SAP customers identify if their systems are patched against RECON, free and open source online scanning tools are available. With these tools, you can check your SAP instance to see if it is patched against RECON. Further, the tools can also check for potential “Indicators of Compromise” (IoC) to see if your systems may have been exploited. RECON went from patch release to publicly available exploits in just ten days; given the fast pace of development, it is still advisable to review your activity logs to check for anomalous activity, with or without using the aforementioned tools, even if you have already patched your systems.
On vulnerabilities beyond RECON, take some time to review previous patches and check whether or not they have been applied. Back-office systems tend to be back-of-mind instead of in the spotlight, yet these systems house an organization’s core business processes and data. Working ERP security reviews into routine review is a good step towards minimizing risk and windows of opportunity for potential exploitation.