Onapsis recently discovered a critical vulnerability of the SAP (CVE-2020-6287 or RECON), which gives attackers complete control over vulnerable business applications. It enables hackers to gain unauthenticated access to SAP, and then create new user accounts with privileges of admin (superuser). A malicious hacker can inflict massive damages with these privileges, including stealing data, changing bank account numbers, altogether sabotaging systems, etc.
RECON and 10KBLAZE Share Similarities
Very similar to the 10KBLAZE vulnerability of 2019, the RECON vulnerability attacks the confidentiality, availability, and integrity of the SAP ERP data and processes. Both RECON and 10KBLAZE leverage a lack of visibility and control while targeting SAP data security.
The recommendations of the Cybersecurity and Infrastructure Security Agency (CISA) for SAP products users and administrators focus on the need for monitoring systems, transactions, accounts creation, and access to and usage of data. This is where many SAP ERP customers struggle as achieving fine-grained controls and visibility are complex and, at times, prohibitive with native functionality.
Fine-Grained Visibility and Control: The Second Layer of Defense
RECON and 10KBLAZE highlight the inadequacy of a single, static layer of security within SAP in combating modern-day SAP data security threats. SAP ERP customers need to add another layer of defense with an all-encompassing suite of fine-grained, risk-aware access controls, and adequate monitoring of data access and usage.
The following suggestions will help you minimize your threat surface and the risks that RECON and future vulnerabilities may pose:
In a dynamic security environment, in addition to recommended security patches (that are a must), attribute-based access controls (ABAC) are essential.
RECON and 10KBLAZE both take advantage of the vulnerabilities in SAP’s open, internet-facing (think remote access) components. The implementation of data-centric, risk-aware controls using ABAC is recommended. ABAC prevents specific transactions such as user provisioning when access originates from IP addresses that are untrusted (or IP addresses outside of your whitelist), specific geographic locations, beyond work hours, mobile devices, and many other contextual attributes. Fine-grained visibility and control can be implemented to block high-risk activity, such as creating a user account (or privilege changes) when access comes from outside the corporate network, and those activities that match the patterns of RECON attacks.
Visibility into Data Access and Usage: Essential to Address Configuration Gaps
Both RECON and 10KBLAZE focus on creating unauthorized, high privilege user accounts. In this scenario, a real-time analytics solution that captures and visualizes data access and usage is needed. This is essential to monitor user provisioning activities such as user creation/deletion, and changes in role/profile. Minimizing the damage by reducing the amount of time a threat goes undetected calls for the earliest possible risk detection.
Preparing for Next Critical SAP Vulnerability by Layering Your Defenses
RECON is not the first critical vulnerability, nor will it be the last, to affect SAP. While security patches are available to ensure SAP data security, these may take time and resources to implement, leading to significant downtime for production systems. The time required to apply the patches also depends on the complexity and the components involved. Keep up to date on system updates anyway, but bugs such as RECON and 10KBLAZE serve as a reminder that patches are not enough to ensure complete SAP data security.