For the most part, SAP implementations continue to be affected by vulnerability in the security configuration initially documented in 2005, information security experts warn.
Analysts comment that careless security configurations and unintended derivations of previously protected system configurations make SAP implementations vulnerable despite the release of security notes designed to address issues. According to Onapsis information security researchers, 90% of SAP systems were vulnerable to this error.
This vulnerability affects SAP Netweaver and can be exploited by an unauthenticated remote attacker who has access to the system network. By attacking this vulnerability, one could obtain unrestricted access to the system, being able to compromise the platform and all the information it contains, extract data or turn off the system.
The vulnerability affects all versions of SAP Netweaver. Since SAP Netweaver is the foundation of SAP implementations, 378,000 customers worldwide are affected, researchers say. The vulnerability exists within the default security configuration in each SAP product based on Netweaver. Even the next generation digital business suite S / 4HANA is affected.
The information security researchers of Onapsis explain in a report where the vulnerability is detailed, that a protection scheme through ACL (access control list) ensures that the SAP application servers are registered within the SAP Message Server to function. This record is made using the internal port 39 <xx> (3900 by default), SAP explained in a Security Note that the port must be secure and only accessible by the IP addresses of the trusted application.
The ACL of the message server is designed to verify “which IP addresses can be registered by an application server and which ones are not”; it is controlled by a profile parameter (ms / acl_info) that must contain a path to a file with a specific format. SAP published the details on how to correctly configure this access file in a Security Note.
“However, this parameter is configured with the default configuration, as well as with the contents of the ACL open, this allows any host with access to the network to the SAP Message Server to register an application server in the SAP system,” explain information security professionals of Onapsis.
At the time of exploiting the lack of a secure configuration of the message server ACL in an SAP system, an attacker can register a fake application server, which could then be abused to achieve total system compromise through attacks more complex.
Professionals comment that, for an attack to be successful, an actor needs to take advantage of this incorrect configuration: access to the internal port of the Message Server with a default configuration in the ACL. This tells us that proper ACL configuration of SAP Message Server should mitigate the risks associated with the attack.
JP Perez-Etchegoyen, CTO of Onapsis, commented that “This year attention will be devoted to new vulnerabilities, such as IoT, Meltdown and Spectre; there is a more silent threat to the lurking that can be so serious and so wide. So interconnected and complex that disconnecting a system to implement a secure configuration can be very disruptive to the organization. It is essential that organizations make sure they take the time to implement the configuration. These updates should be planned and scheduled to have the least impact on the organization.”
Information security researchers recommend that organizations implement continuous controls and compliance checks in order to ensure that the relevant configurations do not affect the security posture of the system, as well as to execute an SAP security program that helps close the breach between the devices.