Skip to main content

Vulnerable SAP Systems Under Active Exploitation

A warning has been released by SAP to raise awareness of threat groups exploiting known vulnerabilities in unpatched systems.

Threat ID:
CC-3815
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Vulnerability
Published:
8 April 2021 11:16 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A warning has been released by SAP to raise awareness of threat groups exploiting known vulnerabilities in unpatched systems.

Affected platforms

The following platforms are known to be affected:

Various SAP products including CRM, NetWeaver Application Server Java, and Solution Manager.

Threat details

Introduction

SAP has reported ongoing malicious activity targeting unpatched and misconfigured systems, which can disrupt critical business processes. Security researchers have found that there is often only a short time window to apply SAP security updates before attempts to exploit vulnerabilities are observed.

Vulnerabilities

The vulnerabilities being targeted have previously been addressed in security updates released by SAP. A remote attacker can exploit the vulnerabilities to take control of an affected system.

Several of the vulnerabilities affect the SAP NetWeaver Java technology stack, which is present in a wide range of SAP products.

For more information on the vulnerabilities please see the following SAP Security Notes (SAP ID required to access):

Researchers have also identified a pattern of brute force access attempts against default high-privilege user accounts, as their passwords are not always changed following installation.

Remediation advice

Organisations are encouraged to review SAP's Security Notes and News Article and apply security updates on a regular basis.

SAP recommends that systems with a significant delay in applying patches should be assessed for potential compromise, prioritising any internet-facing systems.

Systems should also be checked for any unsecured or unauthorised high-privilege user accounts. Accounts susceptible to brute force attacks if left with the default password include SAP*, SAPCPIC, TMSADM and CTB_ADMIN.

CVE Vulnerabilities

Status Published

CVE-2010-5326

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
Status Published

CVE-2016-3976

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
Status Published

CVE-2016-9563

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
Status Published

CVE-2018-2380

SAP CRM, 7.01, 7.02, 7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Status Published

CVE-2020-6207

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
Status Published

CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Last edited: 8 April 2021 2:55 pm