The Department of Homeland Security has issued an alert about a 6-year-old SAP vulnerability that’s still being exploited enough that DHS deems it worthy of special note.
But the responsibility for being vulnerable lies with SAP users. “This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms,” according to an FAQ about the vulnerability that was put out by Onapsis, an SAP-security vendor.
And the company is right. The fixes should have been applied by now, since SAP has issued them. SAP issued the following statement about the patches:
“The vulnerable component in question “Invoker Servlet” was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability.
"Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in Nov 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications.”
Patching is one of the basics that is always mentioned whenever consultants are asked what steps should be taken to promote security hygiene, but it is one that cannot always be dealt with promptly because:
- Other more urgent fires need to be dealt with.
- Scheduling downtime to install patches is difficult.
- And testing that patches won’t disrupt performance of other applications eats up a lot of time.
In the case of the old SAP vulnerability, the patches break custom software written to work with the unpatched version, according to Reuters.
The reason US-CERT issued the alert was that Onapsis came up with 36 cases worldwide of the vulnerability being exploited against international companies. It said it considered those known exploits to be just the tip of the iceberg, and US-CERT thought that enough of a threat to issue the alert.
The vulnerability affects an SAP feature known as the Invoker Servlet in combination with a Java weakness. “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms,” the alert says, “providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
According to Onapsis, exploits can execute via HTTPS and without having a valid SAP user in the target system. “In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system,” Onapsis’s warning says.
Sign up for CIO Asia eNewsletters.