The Onapsis Research Labs keep a close eye on the changing threat landscape in order to better understand how commercial software like SAP and Oracle are being targeted. Our in-depth analysis enables the Onapsis Research Labs to uncover new threats, actions, and vulnerabilities, as well as behavioural changes that increase the risk to business-critical applications, more quickly. This information is critical in assisting firms in better prioritising their efforts and responding to the latest threats.
The study recently discovered exploitation activity connected to three SAP-patched vulnerabilities: CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388. A few aspects are worth considering in relation to these three vulnerabilities:
- Two out of three CVEs have a CVSS grade of critical.
- The majority of these CVEs have publicly accessible proof-of-concepts and exploits.
- The majority of these CVEs can be remotely exploited using HTTP(s) protocols.
Fortunately, CISA maintains a Catalog of Known Exploited Vulnerabilities, which has proven to be incredibly useful in prioritising patching efforts for enterprises. This catalogue, which was created as part of BOD-21, maintains a list of vulnerabilities, designated by their CVE, that CISA has assessed to deserve inclusion based on verifiable evidence of current and active exploitation by threat actors on public or private enterprises. Vulnerabilities must have a CVE record, evidence of ongoing exploitation, and explicit remediation recommendations in order to be included in this collection (e.g., SAP Security Notes, Microsoft patches). CISA has featured six vulnerabilities affecting unprotected, unpatched SAP Applications that have been actively exploited since its inception in November 2021.
These three vulnerabilities have been added to CISA’s Catalog of Known Exploited Vulnerabilities today. On the plus side, its presence in the catalogue ensures that detailed repair instructions for these vulnerabilities between 2016 and 2021 is available. SAP provided SAP Security Notes for all of these vulnerabilities to aid in these efforts. If you’re a SAP user, you can learn more about these patches by visiting this link:
- For CVE-2016-2386, refer to SAP Security Note 2101079
- For CVE-2016-2388, refer to SAP Security Note 2256846
- For CVE-2021-38163, refer to SAP Security Note 3084487
Threat actors can and will use any and all means at their disposal to compromise business applications, which today frequently includes direct attacks on these business-critical applications themselves. SAP, CISA, and Onapsis issued threat information demonstrating this expanding knowledge and exploitation activity for unpatched, vulnerable SAP systems. This tendency is continuing, as evidenced by the addition of these three earlier SAP vulnerabilities today. It’s crucial that these SAP Security Notes are deployed correctly to your critical systems.
Finally, the Onapsis Research Labs advises that a security programme should constantly assess overall risk rather than reacting to new CVEs by patching critical vulnerabilities. While it’s critical for an organisation to respond quickly to vulnerabilities and exploits (and mitigate or patch as needed), incorporating the ability to better assess your security posture across your entire business application landscape (e.g., visibility into misauthorizations, elevated privileges, misconfigurations, anomalous behaviour) and preventing the introduction of new vulnerabilities in your ERP environments from new custom code is also critical.
We encourage companies using mission-critical software like SAP and Oracle to make sure they have the necessary practises in place to better manage risk. Onapsis can help with deep visibility and automation skills to design and incorporate the correct processes into your existing security programmes to help lower overall risk with over a decade of threat research expertise. For additional information, contact a professional now.