How to Handle a Remote Code Execution (RCE) Vulnerability in SAP

⇨ SAP releases patches monthly, and immediate installation of emergency patches is crucial, often requiring professional service personnel for manual operation.

⇨ Understanding and monitoring potential entry points like web-based access and exposed services are essential to reducing attack surfaces and protecting SAP systems from unauthorized access.

⇨ Applying security patches promptly and implementing robust security measures, including continuous monitoring and proactive vulnerability testing, are vital steps in safeguarding SAP systems from threats like Remote Code Execution vulnerabilities.

Software vulnerabilities are a ubiquitous challenge requiring robust cybersecurity measures. Software vendors regularly alert their customers in case of vulnerabilities and needed patches. As the leading Enterprise Resource Planning (ERP) software contributing to 87% of global trade commerce, SAP releases patches on the second Tuesday of every month.

SAP Security Patch Day is dedicated to security-related corrections for their product portfolio. The emergency patches must be installed immediately, and many patches require manual pre- and post-operation, which can only be executed by professional service personnel. The rule of thumb: the better you know your SAP attack surface, the more likely you are to reduce the risk of exploiting the unknown. Companies must assume that every application contains serious security vulnerabilities that cannot be closed because no patch is available.

Know These SAP Attack Vectors

The SAP attack surface comprises potential entry points or attack vectors through which an unauthorized attacker can access a system or application—the smaller the attack surface, the better it can be protected. For example, web-based SAP access, for which the Internet Communication Manager (ICM) and the SAP Web Dispatcher are responsible, and the Internet Communication Framework (ICF) should be particularly monitored.

To ensure these attack surfaces are reduced, all exposed services (HTTPS, SOAP, WebService, APIs) must be continuously evaluated and inventoried. Any system service that is not used or does not serve a specific SAP business scenario should be disabled. SAP services not requiring authentication should be given special attention; they are in the so-called/public/ namespace. Services such as /public/system_info are the first port of call for attackers to gather information about the SAP system during the reconnaissance phase of an attack.

Remote Code Execution (RCE) Vulnerability in SAP

Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. This particular issue means an attacker can exploit a vulnerability in a system’s software to access a remote system and execute commands or actions without authorization.

A Remote Code Execution vulnerability in SAP can have serious consequences, including data theft, system disruption, and financial loss. Precedent has been set:

• On July 20, 2023, threat actors exploited Citrix CVE-2023-3519 to implant webshells, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler. According to CISA.gov, “threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller, but network-segmentation controls for the appliance blocked movement.”
• The RECON vulnerability results from improper authentication checks in the SAP NetWeaver Java User Management Engine (UME) module. These improper checks allow attackers to bypass authentication and gain administrative access to the system. Once the attacker gains access, they can perform various malicious activities such as stealing sensitive data, modifying or deleting critical system files, and installing malware. SAP states, “The RECON (Remotely Exploitable Code On NetWeaver) vulnerability, rated with a CVSS score of 10.0 out of 10.”

Needless to say, the RCE vulnerability in SAP and the known RECON vulnerability for SAP NetWeaver Java instances are serious security threats that can have significant consequences. Applying security patches and implementing access controls and authentication mechanisms is essential.

Mitigating SAP Risks

Managing SAP security patches can be challenging and time-consuming for organizations, especially those with complex and heterogeneous SAP landscapes. Applying security patches requires careful planning and coordination to ensure the systems remain secure without disrupting critical business operations.

Patches should be implemented as soon as possible after SAP patch day. Unfortunately, this is not always easy. Apart from the manual effort required for some security patches, it is not uncommon for a system restart to shut down SAP systems temporarily. SAP recommends that its customers check their notices and determine whether they apply to any of their systems. In addition, security monitoring that includes information about SAP security advisories further reduces the risk of unpatched security advisories weakening the SAP security posture.

Inevitably, a practical vulnerability management program must contain proactive and reactive measures to address the ever-evolving threat landscape. These four pillars must be ingrained in every vulnerability management program:

• Regular and continuous vulnerability testing.
• Risk-based prioritization of the mitigation and remediation.
• Continuous monitoring.
• Cross-department communication and collaboration, management involvement, and support.

Conclusion

We can’t use Generative AI to close all the software loopholes in decades of code…yet.  For the foreseeable future, it will require the human element to remain diligent and take the necessary steps to reduce attack surfaces and immediately apply patches to address new vulnerabilities.

It’s important to remember that the threat posed by RCE vulnerabilities in SAP systems is significant but not insurmountable. Organizations can significantly mitigate the risks by adopting a proactive security posture, implementing stringent access controls, and leveraging third-party solutions for efficient patch management. Ensuring the security of SAP systems is not just about protecting data and processes; it’s about safeguarding the foundation of global trade and commerce.