The Department of Homeland Security has issued an alert about a 6-year-old SAP vulnerability that’s still being exploited enough that DHS deems it worthy of special note.
But the responsibility for being vulnerable lies with SAP users. “This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms,” according to an FAQ about the vulnerability that was put out by Onapsis, an SAP-security vendor.
And the company is right. The fixes should have been applied by now, since SAP has issued them. SAP issued the following statement about the patches:
“The vulnerable component in question “Invoker Servlet” was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability.
"Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in Nov 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications.”
Patching is one of the basics that is always mentioned whenever consultants are asked what steps should be taken to promote security hygiene, but it is one that cannot always be dealt with promptly because:
- Other more urgent fires need to be dealt with.
- Scheduling downtime to install patches is difficult.
- And testing that patches won’t disrupt performance of other applications eats up a lot of time.
In the case of the old SAP vulnerability, the patches break custom software written to work with the unpatched version, according to Reuters.
The reason US-CERT issued the alert was that Onapsis came up with 36 cases worldwide of the vulnerability being exploited against international companies. It said it considered those known exploits to be just the tip of the iceberg, and US-CERT thought that enough of a threat to issue the alert.
The vulnerability affects an SAP feature known as the Invoker Servlet in combination with a Java weakness. “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms,” the alert says, “providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
According to Onapsis, exploits can execute via HTTPS and without having a valid SAP user in the target system. “In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system,” Onapsis’s warning says.
Steps US-CERT recommends that potential victims can take:
In addition, US-CERT encourages that users and administrators:
- Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
- Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
- Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
The vulnerability has not only been known for years, but indicators of compromise associated with the attacks has also been well known, Onapsis says. “[T]he reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years" at a digital forum registered in China, the company’s alert says. “Therefore, we don’t have reasons to correlate this activity with a nation-state sponsored campaign or a coordinated group effort. However, we know for a fact that this is just the tip of the iceberg.”
According to SAP, it has 310,000 customers in 190 countries, 80% of them small and midsize enterprises. Known businesses affected by the exploit are in the China, Germany, India, Japan, South Korea, the United Kingdom and the United States. The affected businesses operate in a range of industries including oil and gas, telecommunications, utilities, retail, automotive and steel manufacturing, Onapsis says.