An SAP security vulnerability is leaving thousands of SAP systems at risk of exposing critical data.
The vulnerability, named RECON (Remotely Exploitable Code on NetWeaver), was discovered May 27 by Onapsis Research Labs, a team of ERP security experts at Onapsis, and the SAP Security Response Team. SAP released a patch to address the flaw July 13 in SAP Security Note 2934135.
The RECON vulnerability could potentially affect more than 40,000 SAP customers, particularly those with systems directly connected to the internet, said Mariano Nunez, CEO at Onapsis, a Boston-based firm that partners with SAP on researching and addressing enterprise security issues.
The SAP security vulnerability affects a default element called the CTC web service, a little used but ubiquitous component that resides in every SAP application that runs SAP NetWeaver Java technology. SAP NetWeaver Java serves as the base for many SAP applications, which are often also connected via APIs and common interfaces. Applications include SAP SCM (Supply Chain Management), SAP CRM, SAP Enterprise Portal, SAP Process Integration, and SAP Solution Manager, according to Onapsis.
The RECON bug was given the highest CVSS score of 10 out of 10 for its severity and potential to affect SAP systems and data. The common vulnerability scoring system is a well-known framework for measuring vulnerability severity. The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency issued US-CERT Alert AA20-195A warning of the vulnerability, in conjunction with the German government BSI-CERT bund as well as alerts from other global security agencies.
Sensitive data at risk
If the SAP security vulnerability is exploited, an unauthenticated attacker can create a new SAP user that has maximum privileges and can circumvent access and authorization controls to gain access to SAP systems.
“This makes it very critical because attackers — without needing a user ID for the target system — can get full control over these applications,” Nunez said. “They will then be able to steal sensitive data, modify critical data, or simply disrupt the business by shutting down the systems.”
The types of data at risk include employee personally identifiable information (PII), customer data, financial records, banking data such as account numbers, and purchasing processes. This makes unpatched customers vulnerable to violating Sarbanes-Oxley financial regulations and GDPR.
The rise of remote work due to COVID-19 may have added to RECON’s severity, as more people are using the internet to access SAP systems than ever before, according to Nunez.
“Many of the systems were already internet-facing before COVID for use cases like self-service portals or supplier B2B. But now with everyone working remotely, the systems have an even higher relevance for the company,” he said. “Now if you disrupt any of these internet-facing systems, then potentially the entire company may not be able to access them. Before it was only the people that were working remotely.”
Onapsis estimates that more than 40,000 SAP customers are running systems with the CTC web service component. It also estimates that 2,500 of these systems are directly connected to the internet, with 33% in North America, 29% in Europe and 27% in Asia.
Patch available now
Once SAP was alerted to the vulnerability by Onapsis researchers, it worked to develop a patch, which is available now, said Khaja Ahmed, SAP senior vice president and head of global product and application security.
The CTC web service is a widespread component of the LM Configuration Wizard, which automates system configuration via APIs. However, the component is used not widely used, as most people use the LM Configuration Wizard directly, which did not have authentication built in, according to Ahmed.
“To be clear, [the flaw] is there — and has been there for 10 years,” he said. “So the fact that it is not commonly used and was discovered by Onapsis is a good thing because that allowed us to proactively address something before it became widely used.”
The security patch adds authentication and authorization to the CTC web service, Ahmed said.
The RECON patch is easy to apply and doesn’t require a shutdown or reconfiguration of the SAP systems, Nunez said.
“The fact that this component is not being widely used makes the amelioration likely to happen more quickly compared to other issues that have come up in the past,” he said. “It’s very likely that you can apply the patch quickly with very little operational disruption to the business.”
SAP customers have received alerts about the security vulnerability and the availability of the patch, said Tim McKnight, chief security officer at SAP.
“Customers have already told me that they have downloaded the patch and installed [it],” McKnight said. “So we know that they’re listening, they’re picking [it] up and they’re implementing.”