More than 40,000 SAP users of an estimated 2,500 internet facing systems should move quickly to patch a Remotely Exploitable Code On NetWeaver (RECON) vulnerability that scored a 10 out of 10 on the bug-severity CVSS scale and which could give an attacker full enterprise control.
Noting that “this is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software,” Casey Ellis, CTO and founder at Bugcrowd, said “the challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of the vulnerability.”
Even in those cases where a patch is forthcoming, as with this vulnerability, “successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting,” Ellis said.
The RECON vulnerability “would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization,” he explained.
“ERP systems are the ‘keys to the kingdom’ for organizations,” said Chris Clements, vice president of solutions architecture for Cerberus Sentinel, controlling orders, billing, inventory, and many other core business processes. A malicious users who leveraged this particular SAP vulnerability "could disable checks and balances to place fraudulent orders or bills that could significantly disrupt business operations," he said.
Organizations should ensure their critical ERP systems are closely monitored and audited for any suspicious activities. “It seems crazy, but many organizations are not actively monitoring their ERP systems with the same diligence as other systems and applications for fear of potential disruption in the ERP system operation which creates a glaring blind spot for their security teams to spot internal fraud or external compromise,” Clements said.
Vulnerabilities in critical operations must be remediated quickly or risk not recovering from an attack. “When a newly exposed and critical vulnerability with huge repercussions is known, organizations want to patch these systems and applications immediately,” KnowBe4 Security Awareness Advocate James McQuiggan said, prioritizing a patch to secure their systems and protect themselves as soon as possible, he concluded.
Crowdsourced security can speed that process. "The global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations,” said Ellis. “Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.”