Expert Insight On SAP Critical Bug Allows Unrestricted Access to ERP, CRM

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which would allow an unauthenticated attacker to take control of SAP applications.

Subscribe
Notify of
guest
3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
James MacQuiggan
James MacQuiggan , Security Awareness Advocate
InfoSec Expert
July 15, 2020 1:47 pm

If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home.

When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With a robust change control and management program, organisations want to prioritise this patch to secure their systems and protect themselves as soon as possible.

Last edited 2 years ago by James MacQuiggan
Jayant Shukla
Jayant Shukla , CTO and Co-Founder
InfoSec Expert
July 15, 2020 11:57 am

Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10.

The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.

Last edited 2 years ago by Jayant Shukla
Casey Ellis
Casey Ellis , CTO and Founder
InfoSec Expert
July 15, 2020 10:31 am

This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the vulnerability in question would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization. With crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.

Last edited 2 years ago by Casey Ellis
3
0
Would love your thoughts, please comment.x
()
x