New SAP Vulnerabilities: All About RECON

Jan 14, '21 by Joerg Schneider-Simon

In July 2020, Onapsis disclosed a vulnerability that affects the SAP NetWeaver Application Server and therefore a large number of SAP applications.

Labeled as HotNews SAP Note #2934135 (CVE-2020-6287) in the July 2020 SAP Security Notes, this weakness has been termed "RECON," which stands for "Remotely Exploitable Code on NetWeaver." If your system is susceptible to it, an attacker can easily gain complete access to your organization's ERP system.

SAP almost immediately released a patch so users can fix RECON. All organizations using SAP systems should constantly be vigilant against vulnerabilities and patch them up as soon as there are fixes available.

CVSS Score

RECON's CVSS score is the highest possible: 10 on 10. This implies that the threats to your SAP system are as critical as they could be. The severity of exposure can impact the integrity, availability, and confidentiality of SAP applications that are vital to your organization's mission.

What Does RECON Affect?

This issue primarily impacts the default components in all SAP applications that run the SAP NetWeaver Java Technology Stack. Various SAP business solutions use this default technical component, including SAP CRM, SAP SCM, SAP Solution Manager (SAP SolMan), SAP Enterprise Portal, and SAP PI.

The RECON vulnerability, therefore, affects more than 40,000 SAP system users.

Release of Proof of Concept

A security researcher published a proof of concept for the vulnerability a few days after Onapsis discovered it.

While it isn't designed with malicious intent and can't affect your system, hackers with less than honorable intentions can still use it to launch new attacks against your SAP applications.

SAP's Security Notes and Patches

SAP is a massive system, so it always has its share of large and small susceptibilities. Efforts are mostly focused on mitigating vulnerabilities with high risk. To this end, SAP releases around 20 security notes each month.

They've published over 4000 of these notes, releasing patches along with them wherever necessary.

Whenever a patch is published, it's the responsibility of each SAP user to install it, so the relevant vulnerability is fixed.

However, SAP security notes and patches are often not enough for users to keep their ERPs safe.

The Patch Problem

Once SAP releases a patch, it actually increases your vulnerability for a short while. Cyber-attackers get to work exploiting the weaknesses they're newly alerted to, so they can get through systems that haven't applied the patches yet.

Organizations should use the patches as soon as they become available—but they don't. In fact, less than 30% of SAP customers make use of SAP security notes each month.

The majority of them apply patches twice a year, and a staggering 13% never use them at all.

This may be because applying patches takes effort. Unlike computing, operating, and application systems that automatically update, every SAP patch has to be manually applied.

Therefore, applying twenty or thirty patches every month is a feat that can take hours to achieve—a tall order for today’s busy (and often understaffed) cybersecurity teams.

Companies that irregularly apply patches or never apply them are at great risk for cyber-attackers accessing their systems and breaching sensitive data.

One reason organizations don't prioritize this issue is that they're afraid of breaking their SAP system down. And it’s easy to sympathize: Administration, plant management, shipping, and sending invoices would become nearly impossible if something goes wrong with SAP.

This fear is prevalent since there's a lack of specialized, intensively trained SAP personnel to use the system. Since SAP is so integral to many business operations, they wouldn't be able to function at all if it broke down.

How to Protect Your SAP System

Staying aware of new SAP vulnerabilities is one of the best ways for cybersecurity teams to make sure their mission-critical SAP systems stay secure.

But the only way to ensure that your SAP system is as safe as possible is to apply security patches as soon as they're available. Patching often and quickly will help keep your system safe from vulnerabilities.

To make it easier for your organization to apply patches, you can sign up for a system such as bowbridge Application Delivery Controller , which improves compliance and security for SAP Applications.

Application Delivery Controller will be capable of ensuring the performance, integrity, and availability of cloud-based SAP implementations and SAP applications that are web-exposed. It's a cloud-ready, software-only dispatcher that's specifically designed with SAP applications in mind.

If you're worried about your organization's SAP system being exposed to vulnerabilities, take the bowbridge Self-Assessment today.

Application Delivery Controller for SAP Solutions