Security News > 2021 > April > SAP Bugs Under Active Cyberattack, Causing Widespread Compromise

SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
2021-04-06 18:47

Active cyberattacks on known vulnerabilities in SAP systems could lead to full control of unsecured SAP applications, researchers are warning.

"With more than 400,000 organizations using SAP, 77 percent of the world's transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more."

"Most federal agencies are running on SAP, as it has become the industry standard for government entities. However, these SAP implementations are often on-premise, and managed by the government entities themselves due to security concerns. These systems then become increasingly vulnerable when updates and patches are not applied in a timely fashion, leaving them wide open for interested hackers."

The attacks are brute-forcing high-privilege SAP user accounts, as well as exploiting a raft of known bugs: CVE-2020-6287, CVE-2020-6207, CVE-2018-2380, CVE-2016-9563, CVE-2016-3976 and CVE-2010-5326, according to the warning.

"The window for defenders is significantly smaller than previously thought, with examples of SAP vulnerabilities being weaponized in less than 72 hours since the release of patches, and new unprotected SAP applications provisioned in cloud environments being discovered and compromised in less than three hours."

"Unfortunately, both SAP and Onapsis continue to observe many organizations that have still not applied the proper mitigationsallowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet."


News URL

https://threatpost.com/sap-bugs-cyberattack-compromise/165265/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-07-14 CVE-2020-6287 Missing Authentication for Critical Function vulnerability in SAP Netweaver Application Server Java
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
network
low complexity
sap CWE-306
critical
10.0
2020-03-10 CVE-2020-6207 Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
network
low complexity
sap CWE-306
critical
9.8
2018-03-01 CVE-2018-2380 Path Traversal vulnerability in SAP Customer Relationship Management
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
network
low complexity
sap CWE-22
6.6
2016-11-23 CVE-2016-9563 XXE vulnerability in SAP Netweaver Application Server Java 7.50
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
network
low complexity
sap CWE-611
6.5
2016-05-13 CVE-2010-5326 Unspecified vulnerability in SAP Netweaver Application Server Java
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
network
low complexity
sap
critical
10.0
2016-04-07 CVE-2016-3976 Path Traversal vulnerability in SAP Netweaver Application Server Java
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
network
low complexity
sap CWE-22
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 328 25 679 386 113 1203