SAP: attackers only need 72 hours to turn patch into exploit

Get a free Techzine subscription!

SAP warns its users to be quick about installing security patches. The company claims that attackers are able to reverse-engineer the patches at lightning speed, with the result that unpatched systems are extra vulnerable.

This is the conclusion of a report drawn up by SAP together with security analyst Onapsis. The report shows that attackers need less than 72 hours to convert a patch into an attack. For new SAP applications in cloud environments, an attack can even take place within three hours. On average, however, it takes just under a week for this to happen, writes The Register.

Warning from CISA

The report has even led to a warning from the American Cybersecurity & Infrastructure Security Agency. The agency warns that SAP systems with outdated or misconfigured software are at increased risk of malicious attacks and encourages users to apply the necessary updates and mitigations.

Hundreds of intrusion attempts

Since mid-2020, SAP and Onapsis have seen more than 300 successful attempts to break into unprotected SAP instances. Multiple vulnerabilities and insecure configurations were used. It is not known to what extent this also led to additional attacks on customer environments. The researchers did not have access to the necessary data to find this out.

However, the research does show some concrete examples of exploits. On 14 July 2020, for example, information about the RECON vulnerability (CVE-2020-6287) surfaced. The next day, proof-of-concept code was already published, a day later a large-scale scan for vulnerabilities was carried out and on 17 July an exploit was ready. Exploits for various other vulnerabilities were also quickly published on GitHub.

Respond as quickly as possible

Onapsis advises administrators to react quickly to newly available patches. Check whether you are running applications that are vulnerable to these CVEs, test the patches and implement them as soon as possible.