Hackers Are Exploiting Five-Year-Old SAP Bug

The US-CERT was forced to issue a security alert for the first time ever on Thursday about SAP business applications after it was revealed that outdated or misconfigured systems are being exploited by hackers around the world.

The alert claims at least 36 organizations worldwide in a range of industries are affected by the current issue, first discovered by security firm Onapsis.

The vulnerability in question sits on the application layer, independent of the database application or operating system, it added.

The alert continues:

“The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.”

The result could be catastrophic for affected organizations, allowing unauthenticated remote hackers to gain full access to affected SAP systems and control the associated business information and processes, as well as potentially using it as a stepping stone into other systems.

At least 18 SAP applications are affected, including some of the most popular ones around, such as SAP Enterprise Resource Planning, SAP Customer Relationship Management, and SAP Supply Chain Management.

There’s no suggestion this is SAP’s fault: it patched the vulnerability in question five years ago, so it’s down to customers’ IT teams to ensure the patch is applied properly to lock down any risk.

However, the discovery is likely to be just “the tip of the iceberg” when it comes to SAP security issues, according to Onapsis.

“While several threat reports disclose security incidents as the result of nation-state sponsored cyber campaigns, in this case, the reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years (at a digital forum registered in China),” it wrote in an FAQ.

“Therefore, we don’t have reason to correlate this activity with a nation-state sponsored campaign or a coordinated group effort.”

Aside from invoking SAP Security Note 1445998 and disabling the Invoker Servlet, admins were urged to rescan systems for known vulnerabilities and missing patches; analyze systems for malicious or excessive user authorizations; and monitor for IoCs resulting from exploitation of flaws and suspicious user behavior.

US-CERT also suggested firms identify and analyze the security settings of SAP interfaces between systems and apps “to understand risks posed by this trust relationship”; apply threat intelligence on new vulnerabilities to guard against targeted attacks; define “comprehensive security baselines; and continuously monitor for compliance violations and remediate any deviations. 

What’s Hot on Infosecurity Magazine?