RedShield, specialists in web application shielding, has developed custom shield objects which immediately fix the
global RECON vulnerability to ensure critical data within SAP systems remains secure.
Designed to shield vulnerabilities at the proxy layer, without touching a single line of SAP application code, the
custom shield ensures attacks are harmless before they reach the application layer.
The announcement follows disclosure by SAP on 13 July of two new critical vulnerabilities in the
SAP Networker Application Server that allows attackers to gain remote access and complete control over SAP systems. This
application is considered a critical part of the SAP stack and a reported 40,000 SAP customers may be affected.
The Cybersecurity and Infrastructure Security Agency (CISA) has recommended organisations immediately perform updates
and apply patches within 24 hours; however, RedShield says that few organisations relish the idea of rolling out
emergency updates to such critical and complex enterprise systems as SAP.
“It is fundamental for SAP customers to stay protected and alert, as due to the very nature of SAP it will be running
business critical systems. However, the reason we see so many organisations struggling to act and apply patches quickly
is because of the potential business risks and what down-stream impact may be caused, ” says RedShield CEO, Andy Prow.
“This is why RedShield exists. Vulnerability Shielding involves injecting code in front of the vulnerable application to
fully remediate or neuter the attack. The most important factor is that the shield requires zero touch to the
application, meaning vulnerabilities are removed without the risk and interruption caused by touching systems like SAP.
”
As the SAP NetWeaver Java is a base layer for many SAP products, exploiting this vulnerability may allow an attacker to
leverage the connected systems and access further business-critical data and Personally Identifiable Information (PII).
“Because applying these patches can be difficult and take time, we’ve seen some organisations attempt to block access to
the affected SAP services; however, this is a heavy handed response, and often is untenable as a long term solution.
We’ve also seen some organisations introduce pre-authentication by allowing only authenticated users to access the
server; however, this assumes the malicious user has not already gained authentication, and is also not a viable
solution in all cases.”
“Deploying our shielding object to shield the RECON vulnerability, without touching a single line of SAP application
code is the fastest and most effective solution,” says Prow. “We can provide immediate peace of mind with our shielding
approach. With the shield(s) in place the customer may still upgrade or patch the systems behind the shields, but they
can do so in a planned and managed way, over time.”
RedShield can deploy shields for both legacy and new SAP applications - as well as APIs. Depending on the shielding
architecture needed, implementation can be completed within hours, well within the CISA’s recommended 24-hour timeframe.
According to reports, if a malicious user is able to successfully exploit the RECON vulnerability, they can create their
own account in SAP systems with maximum privileges, allowing them to:
Steal personally identifiable information (PII), which may violate privacy regulations
(e.g. GDPR, CCPA);
Access, delete, or manipulate financial records and banking details; and
Perform other admin functions such as deleting or modifying database records, traces, logs, and other files