R E C O N S A P V U L N E R A B I L I T Y

T H R E A T R E P O R T

M I T I G A T E A V U L N E R A B I L I T Y E X P O S I N G M I S S I O N - C R I T I C A L B U S I N E S S D A T A

2

THREAT REPORT | RECON SAP Vulnerability

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Affected Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Business Impact of RECON . . . . . . . . . . . . . . . . . . . . . . . 5

SAP Enterprise Portal . . . . . . . . . . . . . . . . . . . . . . . . 6

SAP Processes Integration . . . . . . . . . . . . . . . . . . . 7

SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . 8

How To Protect your Company . . . . . . . . . . . . . . . . . . . 9

Implementing the SAP Security Note . . . . . . . . . 9

The Onapsis Platform Coverage . . . . . . . . . . . . . . . . . . 9

Assess Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . 10

Defend Detection Rule . . . . . . . . . . . . . . . . . . . . . . 10

Cyber Risk Assessment . . . . . . . . . . . . . . . . . . . . . . 10

Reporting Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

T A B L E O F C O N T E N T S

3

THREAT REPORT | RECON SAP Vulnerability

E X E C U T I V E S U M M A R Y

In May 2020, the Onapsis Research Labs identified a serious vulnerability affecting a component included in many

SAP applications. Tagged with a CVSS score of 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and identified by CVE-2020-

6287, the RECON (Remotely Exploitable Code On NetWeaver) vulnerability, resides in a default core application.

Since this vulnerability can be exploited by remote unauthenticated attackers, systems exposed to untrusted

networks such as the internet could be opportunistically targeted by attackers. The SAP Enterprise Portal stands out

as an example of a critical system typically connected to the internet that is exposed to this vulnerability, but other

business solutions such as SAP PI/XI, SAP CRM, SAP SCM and SAP S/4HANA Java are also affected.

Based on affected versions (see further details below), over 40,000 SAP customers may be affected by this

vulnerability. Onapsis estimates there are at least 2,500 vulnerable SAP systems directly exposed to the internet,

with 33% in North America, 29% in Europe and 27% in Asia-Pacific.

Following the Onapsis coordinated disclosure policy, Onapsis reported this vulnerability to SAP and closely worked

together with its Security Response Team to address it. SAP has released SAP HotNews Security Note #2934135

addressing this issue—prompting a U.S. Department of Homeland Security US-CERT Alert. Onapsis strongly

recommends that all SAP customers apply the patch immediately.

AS A RESULT OF THE POTENTIAL THREATS ASSOCIATED WITH THE RECON VULNERABILITY, THE GLOBAL ORGANIZATIONS HAVE ISSUED THESE ALERTS:

4

THREAT REPORT | RECON SAP Vulnerability

A F F E C T E D S Y S T E M S This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of the creation of this document).

All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions. This

means that a broad range of products could be impacted. These include, but are not limited to:

• SAP Enterprise Resource Planning (ERP)

• SAP Supply Chain Management (SCM)

• SAP CRM (Java Stack)

• SAP Enterprise Portal

• SAP HR Portal

• SAP Solution Manager (SolMan) 7.2

• SAP Landscape Management (SAP LaMa)

• SAP Process Integration/Orchestration (SAP PI/PO)

• SAP Supplier Relationship Management (SRM)

• SAP NetWeaver Mobile Infrastructure (MI)

• SAP NetWeaver Development Infrastructure (NWDI)

• SAP NetWeaver Composition Environment (CE)

Since SAP Solution Manager (SolMan) is affected and deployed in almost every SAP environment, it is a safe assumption that almost

every SAP customer running the Business Suite and S/4HANA has at least one system affected by this vulnerability.

5

THREAT REPORT | RECON SAP Vulnerability

B U S I N E S S I M P A C T O F R E C O N If an unauthenticated attacker is able to connect to the HTTP(S) service and perform a successful exploitation of the RECON

vulnerability, the impact could be critical in some situations. Technically speaking, an attacker would be able to create a new user in

the vulnerable SAP system with maximum privileges (Administrator role), bypassing all access and authorization controls (such as

segregation of duties, identity management and GRC solutions). This means that the attacker could gain full control of the affected

SAP system, its underlying business data and processes.

Having administrative access to the system will allow the attacker to manage (read/modify/delete) every database record or file in

the system. Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability

also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates—potentially impacting financial (Sarbanes-

Oxley) and privacy (GDPR) compliance.

Exploitation of the vulnerability allows an attacker to perform several malicious activities, including:

• Steal personally identifiable information (PII)

from employees, customers and suppliers

• Read, modify or delete financial records

• Change banking details (account number,

IBAN number, etc.)

• Administer purchasing processes

• Disrupt the operation of the system

by corrupting data or shutting it down

completely

• Perform unrestricted actions through

operating system command execution

• Delete or modify traces, logs and other files.

With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending

on the affected system. In particular, there are different SAP solutions running on top of NetWeaver Java which share a common

particularity: they are hyperconnected through APIs and interfaces. In other words, these applications are attached to other

systems, both internal and external, usually leveraging high-privileged trust relationships.

The way SAP applications are opened to the internet in the form of SAP Enterprise Portals, combined with integration technologies

such as SAP SolMan or SAP Process Integration, create an environment in which the exploitation of a CVSS 10 vulnerability can

ultimately lead to business data and PII being compromised.

The following sections will discuss in more detail some examples of widely-used SAP applications which share this pattern of API-

based hyperconnectivity and are affected by this vulnerability.

SAP SOLUTION MANAGER

S/4HANA JAVA ENTERPRISE PORTAL

NETWEAVER MOBILEINFRASTRUCTURE

LANDSCAPE MANAGEMENT

ENTERPRISE RESOURCEPLANNING

Illustration 1: The Hyperconnection Concept

6

THREAT REPORT | RECON SAP Vulnerability

SAP ENTERPRISE PORTALAccording to SAP, the SAP Enterprise Portal is “the comprehensive integration and application platform that facilitates the alignment

of people, information, and business processes across organizational and technical boundaries.”1 From a business point of view,

the SAP Enterprise Portal can be seen as a hub where information from the SAP ecosystem and also from third-party applications

collide. From a technical point of view, it’s a system that very often is deployed facing untrusted networks, such as the internet.

These two key points transform the SAP Enterprise Portal into an interesting and relatively easy target for attackers, as it is highly

interconnected and is reachable from the internet.

SAP Enterprise Portals provide an integrated entry point to HR processes, financial information and supply chain management

processes. Attackers being able to compromise these systems can ultimately cause a significant impact to organizations not only

from a pure data breach and risk perspective, but as we are talking about business processes, they are also subject to compliance

and regulatory requirements, as discussed below.

• Thousands of employee self-service portals are serving organizations, many of those directly connected to the internet,

where attackers can leverage RECON to exfiltrate employee records such as:

• Employee name and address

• Employee personal information

• Employee payroll and benefits information

• This type data breach has to be reported in the context of GDPR, CCPA or other related data privacy regulations.

Furthermore, this type of application can be targeted by threat actors looking to modify payroll bank accounts for

employees, leading to the deviation of funds through fake payroll payments.

• Organizations depend on SAP financial applications for corporate accounting, especially important for publicly-traded

organizations, where a significant deficiency or a material weakness can create a significant problem for organizations.

Attackers can leverage RECON to compromise SAP financial applications and ultimately modify records in the financial

systems. Any modification in vendor, bank account or suppliers’ data could lead to different types of fraud schemes

with the deviation of funds as well as the related implications in Sarbanes-Oxley reporting.

• Uptime of operations is king for the large enterprise sector, where SAP applications support the most critical business

processes such as manufacturing, supply chain, transportation management, logistics and operations. The RECON

vulnerability could be used by attackers to stop operations and put organizations into a halt, with significant financial,

compliance and reputational consequences.

1 https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/8c/fccbc11ae344b0a64238d49c87597f/content.htm

7

THREAT REPORT | RECON SAP Vulnerability

SAP PROCESS INTEGRATIONThe SAP Process Integration (PI) module is a part of the SAP NetWeaver platform that facilitates the communication and integration

of business processes, with both SAP and non-SAP systems. It provides a single point of interaction to exchange information

between the different components such as Sales & Distribution (SD), Finance & Cost Controlling (FICO), Extended Warehouse

Management (EWM) and Customer Relationship Management (CRM), among others.

In spite of applying a secure configuration for the SAP PI module, an attacker could acquire high privileges acquired by exploiting the

RECON vulnerability to display, change or delete sensitive data from any of the modules connected to the SAP PI—disrupting critical

integrations with strategic business partners and essential processes. Given that the attacker could get administrator privileges

in the SAP PI module, it could be strategically used as a pivot to get sensitive information from several modules such as the ones

mentioned before.

SAP SD

SAP PI MiddlewareSAP FICO SAP CRM

SAP EWM

Illustration 2: The SAP Process Integration Module

8

THREAT REPORT | RECON SAP Vulnerability

SAP SOLUTION MANAGERSAP SolMan aims to centralize the management of all SAP and non-SAP systems that are within an organization’s landscape. As an

administration solution, it performs actions such as implementation, support, monitoring and maintenance of the SAP enterprise

applications and systems.

Being a technical system, SolMan does not hold business data. However, it could act as the main door for a more in-depth attack

which could potentially involve the compromise of business information. Due to its nature of centralizing management, SolMan is

connected to every SAP system inside the landscape. These systems are also known as satellite systems.

If an attacker is able to compromise SolMan, they will be able to abuse established trust relationships and pivot to any satellite

system. Trusted relationships between SolMan and its connected systems are commonly configured to be highly privileged,

becoming an interesting vector from the attacker’s point of view to gain further access to business data stored in satellite systems.

SAPSolMan

SAPHR

SAPBO

SAPSRM

SAPBW

SAPS/4HANA

SAPCRM

SAPERP

SAPPI/PO

Illustration 3: SAP Solution Manager Centralizes Management to All SAP Systems

9

THREAT REPORT | RECON SAP Vulnerability

H O W T O P R O T E C T Y O U R C O M P A N Y

Implementing the SAP Security Note

SAP has released Security Note #2934135 on July 14th, 2020 addressing this issue. SAP customers should implement it immediately.

THE ONAPSIS PLATFORM COVERAGEThe Onapsis Platform is SAP-certified and is the only solution in the market to combine a preventative, behavioral-based and

context-aware approach for detecting, identifying and mitigating security risks, compliance gaps and cyberattacks on mission-critical

applications. The Onapsis Platform automates testing, change, audit and security processes so cross-functional teams can focus

on improving SAP availability and performance, accelerating cloud migrations and S/4HANA implementations, streamlining audit

processes and hardening security on-premises and in the cloud.

To help protect SAP customers from threats on the RECON vulnerability, The Onapsis Platform includes automated assessment,

detection rules and alarms to continuously monitor malicious activity targeting this specific vulnerability and many others.

ASSESS CAPABILITIESUsing the Assess module of The Onapsis Platform, Onapsis customers can automatically run a full assessment of their SAP

landscape and analyze whether the RECON is present in their SAP systems to streamline remediation and mitigate the risk.

DEFEND DETECTION CAPABILITIESOnapsis customers using the Defend module of The Onapsis Platform have a detection capability in place to continuously monitor

for malicious activity and receive alarms to prevent attacks abusing the RECON vulnerability.

PERFORM AN SAP CYBER RISK ASSESSMENT TODAY

For SAP customers not using The Onapsis Platform, Onapsis offers a complimentary Cyber Risk

Assessment to help identify if this vulnerability (and others) is present in their SAP systems.

Request a Cyber Risk Assessment at www.onapsis.com/request-an-assessment/cyber-risk.

10

THREAT REPORT | RECON SAP Vulnerability

R E P O R T I N G T I M E L I N E

C O N C L U S I O N

Vulnerabilities such as RECON are not often seen, but these types of security issues compensate for their rareness with business

and compliance impact. As explained in this threat report, an attacker leveraging this vulnerability will have unrestricted access to

critical business information and processes in a variety of different scenarios. Based on how widespread this vulnerability is across

SAP products, most SAP customers will likely be impacted. Onapsis has been working closely with the SAP Security Response Team

to report and fix this vulnerability with the patch being released in the July 2020 SAP Security Notes.

It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected. Continuous

monitoring of SAP systems and the automated assessment of security configurations is imperative to ensure that mission-critical

information and processes remain secure.

LEARN MORE ABOUT THE RECON VULNERABILITY https://www.onapsis.com/recon-sap-cyber-security-vulnerability

05/27/2020

05/27/2020

06/05/2020

06/08/2020

06/10/2020

07/14/2020

07/14/2020

Onapsis provides vulnerability details to SAP

SAP acknowledges receipt of vulnerability details and provides internal case number

SAP confirms the vulnerability and that their team started to work on the fix

SAP provides an update regarding fix status and confirms CVSS score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Onapsis releases Advanced Threat Protection capabilities in The Onapsis Platform

SAP releases patch for the security vulnerability in SAP Security Note #2934135

Onapsis issues RECON vulnerability threat report

L E A R N M O R E

THREAT REPORT | RECON SAP Vulnerability

ABOUT ONAPSIS

Onapsis protects the mission-critical applications that power the global economy, including ERP, CRM, PLM, HCM, SCM and BI from SAP®, Oracle® and

leading cloud vendors. Onapsis works with over 300 global brands and partners with leading consulting and audit firms such as Accenture, IBM and

Deloitte. Learn more at https://www.onapsis.com.

©️2020 Onapsis Inc. All Rights Reserved.

T H R E A T R E P O R T

R E C O N S A P V U L N E R A B I L I T YM I T I G A T E A V U L N E R A B I L I T Y E X P O S I N G M I S S I O N - C R I T I C A L B U S I N E S S D A T A