HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says
SAP environments are often home to an organization’s most important business data, making protecting them paramount for enterprise security.
Oftentimes however, securing these environments is considered synonymous with segregation of duties controls, creating for some a false sense of security - one that Onapsis CEO Mariano Nuñez Di Croce is hoping to change. To illustrate his point, the CEO will lay bare details of an authentication bypass vulnerability at the Ekoparty conference today in Buenos Aires.
The vulnerability is the result of a combination of two problems, he explained. First, there is an insecure authentication scheme by design, where the SAP system trusts that connections always come from legitimate authentication proxies. Second, customers failing to properly implement best-practices security settings detailed by SAP, by applying proper network filtering and trust relationships.
“The vulnerability resides in the SAP Application Server Java - which is the base framework for critical components such as SAP Enterprise Portal, SAP Process Integration and SAP Mobile Infrastructure - so all these solutions are affected,” he said.
The vulnerability is trivial to exploit, Nuñez Di Croce explained, noting it only takes on HTTP request with a specially-modified header to make the login screen disappear.
“After discovering this vulnerability, I even found out that there was some vague documentation about its root causes publicly available since 2006,” he said. “Therefore, as for somebody with basic knowledge of SAP and Web security performing this attack is so trivial, I won't be surprised at all to find out that real-world attacks have been performed in the wild during these years.”
Using the vulnerability, an attacker can log-in as the user of his or her choice without specifying a password, allowing them to fully compromise the business information and processes of the target SAP system in the name of fraud or corporate espionage, he said.
“If you think about it, for an attacker to exploit a SoD (segregation of duties) vulnerability, he first needs a user account in the system,” he added. “In the kind of vulnerabilities we are discussing about, attacks can be performed remotely and anonymously, completely bypassing any existing SoD controls. The risk is by far much higher.”
A SAP spokesperson told SecurityWeek that the company works closely with security researchers to identify vulnerabilities and works independently to improve security in their products.
“A trend that we did observe over the last months is the fact that our customers take security more seriously and that our proactive information outreach to our customers is fruitful,” the spokesperson said. “Security is a topic in more and more customer conversations and our security guidelines and recommendations, security services and fixes get more attention than before. This is a very positive trend as it helps to increase the security of our customers.”
According to Nuñez Di Croce, businesses need to find out whether they are exposed to this risk, and then react quickly by applying proper SAP security configurations and reviewing network firewalls to make sure attackers can’t bypass the deployed authentication proxies and access the back-end SAP systems directly.
“These vulnerabilities reside in the base technological frameworks of the SAP systems, which security configuration has been traditionally disregarded,” he said. “Lately, SAP has issued several security notes and guidelines focused exclusively in securing these components. Now customers have to catch-up, but that's definitely not an easy task if they have dozens or hundreds of SAP servers.”
Onapsis released a white paper at Black Hat DC that touches on SAP application security issues.
Releated Resource: Vulnerability Management Buyer's Checklist: Key Questions to Ask