Old SAP vulnerability scares Homeland Security
But the responsibility for being vulnerable lies with SAP users. “This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms,” according to an FAQ about the vulnerability that was put out by Onapsis, an SAP-security vendor.
And the company is right. The fixes should have been applied by now.
Patching is one of the basics that is always mentioned whenever consultants are asked what steps should be taken to promote security hygiene, but it is one that cannot always be dealt with promptly because:
In the case of the old SAP vulnerability, the patches break custom software written to work with the unpatched version, according to Reuters.
The reason US-CERT issued the alert was that Onapsis came up with 36 cases worldwide of the vulnerability being exploited against international companies. It said it considered those known exploits to be just the tip of the iceberg, and US-CERT thought that enough of a threat to issue the alert.
The vulnerability affects an SAP feature known as the Invoker Servlet in combination with a Java weakness. “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms,” the alert says, “providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
According to Onapsis, exploits can execute via HTTPS and without having a valid SAP user in the target system. “In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system,” Onapsis’s warning says.
Steps US-CERT recommends that potential victims can take:
In addition, US-CERT encourages that users and administrators:
The vulnerability has not only been known for years, but indicators of compromise associated with the attacks has also been well known, Onapsis says. “[T]he reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years" at a digital forum registered in China, the company’s alert says. “Therefore, we don’t have reasons to correlate this activity with a nation-state sponsored campaign or a coordinated group effort. However, we know for a fact that this is just the tip of the iceberg.”
According to SAP, it has 310,000 customers in 190 countries, 80% of them small and midsize enterprises. Known businesses affected by the exploit are in the China, Germany, India, Japan, South Korea, the United Kingdom and the United States. The affected businesses operate in a range of industries including oil and gas, telecommunications, utilities, retail, automotive and steel manufacturing, Onapsis says.