According to a new research by the cybersecurity firm Onapsis and SAP, they have detected 1,500 attempts to exploit mission critical SAP systems with over 300 successful exploitation between mid-2020 and March 2021.
The research states the “the evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others”.
In addition, the research found that the attackers use sophisticated attack vectors chaining several vulnerabilities to compromise the system.
The research found that there are six exploits used by the attackers:
CVE-2010-5326 - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java
CVE-2016-3976 - Directory traversal vulnerability in SAP NetWeaver AS Java
CVE-2016-9563 - XML External Entity (XXE) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java
CVE-2018-2380 - Directory traversal vulnerability in Internet Sales component in SAP CRM
CVE-2020-6207 - Missing authentication check in SAP Solution Manager
CVE-2020-6287 - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component
Figure 1: Exploits used by attackers as illustrated in Onapsis’s report
Mitigation with Advanced WAF
Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures. The signatures could be found under the "Path Traversal”, “Authentication/Authorization Attacks”, “Other Application Attacks” and "Server Side Code Injection" signature sets.
Figure 2: CVE-2010-5326 Exploit attempt blocked by signature id 200013037
Figure 3: CVE-2016-3976 Exploit attempt blocked by signature id 200007040
Figure 4: CVE-2016-9563 Exploit attempt blocked by signature id 200018030
Figure 5: CVE-2018-2380 Exploit attempt blocked by signature id 200007039
Figure 6: CVE-2020-6207 Exploit attempt blocked by signature id 200104675
Figure 7: CVE-2020-6207 Exploit attempt blocked by signature id 200104676
Figure 8: CVE-2020-6287 Exploit attempt blocked by signature id 200013021
Mitigating with Threat Campaigns
Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:
SAP NetWeaver BC-BMT-BPM-DSK XXE - CVE-2016-9563
SAP Solution Manager Missing Authentication Remote Code Execution - CVE-2020-6207
SAP NetWeaver Log Injection Remote Code Execution - CVE-2018-2380
SAP NetWeaver CrashFileDownloadServlet Arbitrary File Read - CVE-2016-3976
SAP RECON Remote Code Execution - CVE-2020-6287
SAP ConfigServlet Remote Code Execution - CVE-2010-5326