Old SAP vulnerability scares Homeland Security

Attackers exploit a weakness that SAP patched six years ago

The Department of Homeland Security has issued an alert about a 6-year-old SAP vulnerability that’s still being exploited enough that DHS deems it worthy of special note.

But the responsibility for being vulnerable lies with SAP users. “This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms,” according to an FAQ about the vulnerability that was put out by Onapsis, an SAP-security vendor.

And the company is right. The fixes should have been applied by now.

Patching is one of the basics that is always mentioned whenever consultants are asked what steps should be taken to promote security hygiene, but it is one that cannot always be dealt with promptly because:

  • Other more urgent fires need to be dealt with.
  • Scheduling downtime to install patches is difficult.
  • And testing that patches won’t disrupt performance of other applications eats up a lot of time.

In the case of the old SAP vulnerability, the patches break custom software written to work with the unpatched version, according to Reuters.

The reason US-CERT issued the alert was that Onapsis came up with 36 cases worldwide of the vulnerability being exploited against international companies. It said it considered those known exploits to be just the tip of the iceberg, and US-CERT thought that enough of a threat to issue the alert.

The vulnerability affects an SAP feature known as the Invoker Servlet in combination with a Java weakness. “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms,” the alert says, “providing complete control of the business information and processes on these systems, as well as potential access to other systems.”

According to Onapsis, exploits can execute via HTTPS and without having a valid SAP user in the target system. “In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system,” Onapsis’s warning says.

Steps US-CERT recommends that potential victims can take:

In addition, US-CERT encourages that users and administrators:

  • Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
  • Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
  • Analyze systems for malicious or excessive user authorizations.
  • Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
  • Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
  • Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
  • Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

The vulnerability has not only been known for years, but indicators of compromise associated with the attacks has also been well known, Onapsis says. “[T]he reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years" at a digital forum registered in China, the company’s alert says. “Therefore, we don’t have reasons to correlate this activity with a nation-state sponsored campaign or a coordinated group effort. However, we know for a fact that this is just the tip of the iceberg.”

According to SAP, it has 310,000 customers in 190 countries, 80% of them small and midsize enterprises. Known businesses affected by the exploit are in the China, Germany, India, Japan, South Korea, the United Kingdom and the United States. The affected businesses operate in a range of industries including oil and gas, telecommunications, utilities, retail, automotive and steel manufacturing, Onapsis says.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts