Intel, SAP, and Citrix release critical security updates

August 2020 Patch Tuesday was expectedly observed by Microsoft and Adobe, but many other software firms decided to push out security updates as well. Apple released iCloud for Windows updates and Google pushed out fixes to Chrome. They were followed by Intel, SAP and Citrix. Intel’s updates It’s not unusual for Intel to take advantage of a Patch Tuesday. This time they released 18 advisories. Among the fixed flaws are: DoS, Information Disclosure and EoP … More

The post Intel, SAP, and Citrix release critical security updates appeared first on Help Net Security.

Critical flaw gives attackers control of vulnerable SAP business applications

SAP has issued patches to fix a critical vulnerability (CVE-2020-6287) that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.

CVE-2020-6287

The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP HR Portal, and others.

About the vulnerability (CVE-2020-6287)

Discovered and reported by Onapsis researchers and dubbed RECON, CVE-2020-6287 is due to the lack of authentication in a web component (LM Configuration Wizard) of the SAP NetWeaver AS for Java versions 7.30 to 7.50. The vulnerability can be exploited through an HTTP interface – typically exposed to end users and often to the internet.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability,” the US Cybersecurity and Infrastructure Security Agency (CISA) explained.

Onapsis is set to release a report with more information about the flaw, but the CVSS base score it received (10.0) defines it as being easily remotely exploitable without prior authentication and without user interaction.

Patch quickly

The vulnerable component is used in many of SAP’s solutions: SAP S/4HANA, SAP Enterprise Resource Planning (ERP), SAP Enterprise Resource Planning (PLM), SAP Customer Relationship Management (CRM), SAP Supply Chain Management (SCM), SAP Enterprise Portal, SAP Solution Manager, and many others.

“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems,” the agency noted.

“Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see SAP Security Note #2939665). Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity.

Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.

The potential impact of SAP security remediation

More than two thirds (68.8%) of SAP users believe their organizations put insufficient focus on IT security during previous SAP implementations, while 53.4% indicated that it is ‘very common’ for SAP security flaws to be uncovered during the audit process. These are key findings of the SAP Security Research Report by Turnkey Consulting.

SAP security remediation

The research also uncovered that most respondents were not fully equipped to manage risk. A fifth (20.8%) felt most businesses did not have the skills and tools to effectively secure their SAP applications and environment, with 64.3% saying they only had some skills and tools.

Looking at specific concerns, nine out of ten (93.2%) people thought it was likely that an SAP audit would flag access management issues. Privileged or emergency access was also a major concern with 86.4% believing it was common or very common to have audit findings specifically related to it.

However, the research also showed a growing awareness of the security challenges faced by today’s enterprise, with the adoption of ‘security by design’ regarded as a solution. 74.0% expect IT security to take greater priority in future SAP deployments, with 89.6% agreeing that security specialists should be brought on board to support their SAP S/4 HANA transformation programs.

Richard Hunt, managing director at Turnkey Consulting, said: “The findings of this survey mirror our day-to-day experiences; SAP security is often an afterthought on SAP deployments, with the result that not enough time and resource is allocated to the essential security activities that need to take place throughout the project.”

“However it is encouraging to see that boardroom awareness is growing as the general business environment becomes increasingly focused on compliance, data protection and cyber security. This understanding will drive organizations to take the critical step of designing security into implementations from day one.”

Turnkey undertook its inaugural SAP research to determine organizations’ preparedness as the SAP landscape undergoes a time of transition and the deadline to adopt SAP S/4 HANA approaches. The SAP ERP offers extensive user benefits in terms of increased interconnectivity and mobility, but risks leaving SAP applications and infrastructure open to exploitation.

“Rolling out SAP S/4 HANA requires significant investment and organizational commitment. This reinforces why building in security from the start is vital if remediation, which is costly from both a financial perspective as well as in terms of business disruption, is to be avoided further down the line,” Hunt concludes.