Configuration vulnerability could leave SAP systems open to compromise
A vulnerability arising from the default installation of popular business management platform SAP could lead to a full compromise of the system say researchers.
SAP security and compliance specialist Onapsis has revealed the flaw which is found in SAP Netweaver and can be compromised by a remote unauthenticated attacker with only network access to the system.
Driven by a security configuration originally documented by SAP in 2005, the problem is still present in the majority of SAP implementations, either because they've neglected to apply security configurations or due to unintentional configuration drifts of previously secured systems. Onapsis has spent the past six months contacting SAP customers to alert them and help ensure they are addressing the risk in their landscapes.
After analyzing hundreds of real SAP customer implementations, Onapsis has found that nine out of 10 SAP systems were vulnerable before the Onapsis Risk Assessment or Onapsis Security Platform implementation.
"While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad," says JP Perez-Etchegoyen, CTO at Onapsis. "Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization."
SAP has issued a statement on the vulnerability, "SAP Product Security Response Team collaborates frequently with research companies like Onapsis to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 821875, 1408081, 1421005, which were released in 2005, 2009 and 2010. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately."
Onapsis Research Labs has produced a threat report to enable SAP customers to understand the risk and business impact of leaving this configuration insecure. The report also outlines methods that an organization can take to configure this system and ensure that it remains secure. You can download the report and request a free scan on the Onapsis website.