Systems that handle millions of dollars that are exposed to the Internet. What can go wrong?
The SAP systems are in charge of managing business processes, storing financial records,
sales and payments among other things, of the biggest companies around the world, including
87% of the Global 2000 companies.
During 2020 the systems based on Netweaver Java have been on everyone’s lips due to the
combination of two factors: the number of critical vulnerabilities reported and the number of
systems exposed on the Internet. These security flaws found and reported by Onapsis include
three CVSS 10.0 and one CVSS 9.1. And if that’s not enough, public exploits were released in
less than 72 hours after the security patches were available for customers, including Metasploit
modules.
Anticipating the impact that these vulnerabilities would have once public, Onapsis began a
Threat intelligence campaign aiming to understand the magnitude of risk of these kinds of
systems. The results were more than interesting: a lot of attacks from several sources were
found, trying to exploit these vulnerabilities in a very particular and strange way.
This presentation will focus on the technical aspects of the above-mentioned vulnerabilities
(CVE-2020-6287, CVE-2020-26829 and CVE-2020-26820). We’ll perform an analysis of how
they were discovered, the methodologies and how they can be abused to compromise
Netweaver Java based systems. It will include reversing proprietary protocols, deserialization
attacks on SAP systems, analyzing of vulnerable web services and shell gathering for command
execution chaining several vulnerabilities. Also, we’ll show you the results of our campaign,
detailing several observed attacks and the exploits analysis.
0 Comments