Connect with us

Hi, what are you looking for?



13 Year-Old Configuration Flaw Impacts Most SAP Deployments

Most SAP implementations continue to be impacted by a security configuration flaw initially documented in 2005, Onapsis warns.

Most SAP implementations continue to be impacted by a security configuration flaw initially documented in 2005, Onapsis warns.

Neglected security configurations and unintentional configuration drifts of previously secured systems render SAP implementations vulnerable despite the release of several Security Notes designed to address the issues. According to Onapsis, a firm that specializes in securing SAP and Oracle applications, 9 out of 10 SAP systems were found vulnerable to the bug.

The security bug impacts SAP Netweaver and can be exploited by a remote unauthenticated attacker who has network access to the system. By targeting the bug, an attacker could gain unrestricted access to the system, thus being able to compromise the platform and all of the information on it, extract data, or shut the system down.

The vulnerability impacts all SAP Netweaver versions. Because SAP Netweaver is the foundation of all SAP deployments, 378,000 customers worldwide are affected, Onapsis says. The vulnerability exists within the default security settings on every Netweaver-based SAP product. Even the next generation digital business suite S/4HANA is impacted.

In a report detailing the vulnerability, Onapsis explains that a protection scheme through ACL (access control list) ensures that SAP Application Servers are registered within the SAP Message Server to work. Registration is performed using internal port 39<xx> (3900 by default), and SAP explained in a Security Note in 2010 that the port should be secured and only accessible by trusted application IP addresses.

The Message Server ACL, designed to check “which IP addresses can register an application server and which ones cannot,” is controlled by a profile parameter (ms/acl_info) that should contain a path to a file with a specific format. SAP published details on how to properly configure this access file in a Security Note in 2015.

“Nevertheless, this parameter is set with default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system,” Onapsis explains.

Advertisement. Scroll to continue reading.

By exploiting the lack of a secure Message Server ACL configuration on a SAP System, an attacker can register a fake Application Server, which could then be abused to achieve full system compromise through more complex attacks.

For a successful attack, however, an actor needs to take advantage of this misconfiguration: access to the Message Server internal port with a default configuration in the ACL. This means that proper configuration of SAP Message Server ACL should mitigate the risks associated with the attack.

Organizations are also advised to implement continuous monitoring and compliance checks to ensure relevant configurations don’t affect the security posture of the system, as well as to implement
a SAP cybersecurity program that helps bridge the gap between teams.

“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.

Related: SAP Patches Critical Flaws in Business Client

Related: SAP Patches Decade-Old Flaws With March 2018 Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.