Most SAP implementations continue to be impacted by a security configuration flaw initially documented in 2005, Onapsis warns.
Neglected security configurations and unintentional configuration drifts of previously secured systems render SAP implementations vulnerable despite the release of several Security Notes designed to address the issues. According to Onapsis, a firm that specializes in securing SAP and Oracle applications, 9 out of 10 SAP systems were found vulnerable to the bug.
The security bug impacts SAP Netweaver and can be exploited by a remote unauthenticated attacker who has network access to the system. By targeting the bug, an attacker could gain unrestricted access to the system, thus being able to compromise the platform and all of the information on it, extract data, or shut the system down.
The vulnerability impacts all SAP Netweaver versions. Because SAP Netweaver is the foundation of all SAP deployments, 378,000 customers worldwide are affected, Onapsis says. The vulnerability exists within the default security settings on every Netweaver-based SAP product. Even the next generation digital business suite S/4HANA is impacted.
In a report detailing the vulnerability, Onapsis explains that a protection scheme through ACL (access control list) ensures that SAP Application Servers are registered within the SAP Message Server to work. Registration is performed using internal port 39 (3900 by default), and SAP explained in a Security Note in 2010 that the port should be secured and only accessible by trusted application IP addresses.
The Message Server ACL, designed to check “which IP addresses can register an application server and which ones cannot,” is controlled by a profile parameter (ms/acl_info) that should contain a path to a file with a specific format. SAP published details on how to properly configure this access file in a Security Note in 2015.
“Nevertheless, this parameter is set with default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system,” Onapsis explains.
By exploiting the lack of a secure Message Server ACL configuration on a SAP System, an attacker can register a fake Application Server, which could then be abused to achieve full system compromise through more complex attacks.
For a successful attack, however, an actor needs to take advantage of this misconfiguration: access to the Message Server internal port with a default configuration in the ACL. This means that proper configuration of SAP Message Server ACL should mitigate the risks associated with the attack.
Organizations are also advised to implement continuous monitoring and compliance checks to ensure relevant configurations don’t affect the security posture of the system, as well as to implement
a SAP cybersecurity program that helps bridge the gap between teams.
“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.
Related: SAP Patches Critical Flaws in Business Client
Related: SAP Patches Decade-Old Flaws With March 2018 Patches