Mitigating Active Cyberattacks on Mission-Critical SAP Applications

According to a new research by the cybersecurity firm Onapsis and SAP, they have detected 1,500 attempts to exploit mission critical SAP systems with over 300 successful exploitation between mid-2020 and March 2021.


The research states the “the evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others”.


In addition, the research found that the attackers use sophisticated attack vectors chaining several vulnerabilities to compromise the system.

The research found that there are six exploits used by the attackers:


  • CVE-2010-5326 - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java
  • CVE-2016-3976 - Directory traversal vulnerability in SAP NetWeaver AS Java
  • CVE-2016-9563 - XML External Entity (XXE) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java
  • CVE-2018-2380 - Directory traversal vulnerability in Internet Sales component in SAP CRM
  • CVE-2020-6207 - Missing authentication check in SAP Solution Manager
  • CVE-2020-6287 - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component


Figure 1:  Exploits used by attackers as illustrated in Onapsis’s report



Mitigation with Advanced WAF


Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures. The signatures could be found under the " Path Traversal”, “Authentication/Authorization Attacks”, “Other Application Attacks” and " Server Side Code Injection" signature sets.


Figure 2: CVE-2010-5326 Exploit attempt blocked by signature id 200013037


Figure 3: CVE-2016-3976 Exploit attempt blocked by signature id 200007040

Figure 4: CVE-2016-9563 Exploit attempt blocked by signature id 200018030



Figure 5: CVE-2018-2380 Exploit attempt blocked by signature id 200007039


Figure 6: CVE-2020-6207 Exploit attempt blocked by signature id 200104675


Figure 7: CVE-2020-6207 Exploit attempt blocked by signature id 200104676


Figure 8: CVE-2020-6287 Exploit attempt blocked by signature id 200013021


Mitigating with Threat Campaigns


Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:


  • SAP NetWeaver BC-BMT-BPM-DSK XXE - CVE-2016-9563
  • SAP Solution Manager Missing Authentication Remote Code Execution - CVE-2020-6207
  • SAP NetWeaver Log Injection Remote Code Execution - CVE-2018-2380
  • SAP NetWeaver CrashFileDownloadServlet Arbitrary File Read - CVE-2016-3976
  • SAP RECON Remote Code Execution - CVE-2020-6287
  • SAP ConfigServlet Remote Code Execution - CVE-2010-5326


Additional References

https://onapsis.com/active-cyberattacks-mission-critical-sap-applications




Published Apr 08, 2021
Version 1.0
No CommentsBe the first to comment