Affected systems
Onapsis estimates that more than 40,000 SAP customers could potentially be affected by this security flaw at the moment. The company also found “at least 2,500 vulnerable SAP systems directly exposed to the internet, with 33% in North America, 29% in Europe and 27% in Asia-Pacific.” Some examples of widely-used SAP applications vulnerable to RECON attacks if not patched are the SAP Solution Manager (SolMan), an application lifecycle manager deployed in almost all SAP environments, and the SAP Enterprise Portal which is exposed to attacks since it’s often deployed on systems connected to the Internet. Two other SAP tools affected by RECON are the SAP Processes Integration module and the SAP Landscape Management (LaMa) an orchestration and automation tool — the latter allows attackers to gain full control of an org’s SAP assets if successfully exploited. A list of SAP business solutions using the latest versions of SAP NetWeaver and affected by the RECON flaw include (more impacted products are listed in SAP’s Security Notes release):Successful attack impact
If attackers successfully exploit a system connected to an untrusted network they can read, modify, and delete any record, file, or report on the compromised system.
This allows them to perform a wide range of malicious tasks including but not limited to reading, modifying or deleting financial records, deleting or modifying traces, logs, and other files, as well as disrupting the operation of the system by corrupting data or shutting it down completely. A successful attack would also enable them to change a compromised company’s banking details (account number, IBAN, etc.), to read personally identifiable information (PII), perform unrestricted actions through operating system command execution, and to take control of purchasing processes administration. Onapsis and SAP urge customers to patch their products as soon as possible to block potential attacks designed to exploit unpatched systems. “Based on how widespread this vulnerability is across SAP products, most SAP customers will likely be impacted,” Onapsis says in their RECON threat report. “It is fundamental for SAP customers to apply the patch and follow the provided recommendations to stay protected.”