Nearly 50,000 companies are vulnerable to SAP configuration and patching issues that leave them open to fraud or data breaches, a cybersecurity company has claimed, despite updates and guidance for the vulnerability being issued years ago.
Boston-based cybersecurity firm Onapsis highlighted the vulnerabilities in a report this week that noted the exploits are not inherent to SAP’s coding, but are caused by administrative misconfigurations of SAP NetWeaver installations.
The report is yet another reminder that security so often boils down to human error: misconfigured Amazon S3 buckets and MongoDB databases (just two common examples) continue to be caught spewing private data out into the public by security researchers, often even at credible large companies with a software focus.
Onapsis stated in its report: “These exploits can be executed by a remote, unauthenticated (no username and password) attacker having only network connectivity to the vulnerable systems.”
The consequences could be significant for those affected: “Attackers can also leverage these exploits to perform arbitrary business functions such as creating new vendors or purchase orders, modifying bank accounts and releasing payments, gaining full access to SAP databases, taking SAP systems offline or permanently deleting business-critical and regulated information”, the company added.
They further found that some of the technical components were not typically required to be exposed to networks, but recorded ‘numerous’ examples of systems being exposed directly to the internet. Onapsis estimated that roughly 50,000 companies and 1,000,000 systems are currently operating with SAP NetWeaver and S/4HANA.
In research collected over a ten-year period and based on its own engagements, it calculated that nearly 90 percent of these systems suffer from the vulnerabilities; despite the issue being one that has already been widely reported.
SAP Configuration and The ACL Server
At the heart of the security issues is how SAP systems communicate with themselves internally. All SAP Application Servers are registered with the SAP Message Server, which then in turn implements a protection protocol called the Access Control Lists (ACL). The ACL checks IP addresses and acts as the gatekeeper to the system.
The ACL is established by a profile parameter ms/acl_info, the parameter should hold a path to the file in a format such as;
HOST=[*| ip-adr | hostname | Subnet-mask | Domain ] [, …]
However, Onapsis note that: “This parameter is set with default configuration, as well as the ACL content open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system.”
“If the SAP system lacks a secure Message Server ACL configuration, an attacker can exploit this misconfiguration and register a fake Application Server in the SAP system. An attacker only needs to be able to “speak” to the message server protocol to register a fake Application Server.”
SAP Misconfiguration Issues Addressed Before
SAP has detailed in numerous security notes how to properly configure its network connections, as listed below by year of release;
2005 SAP Security Note #821875: ‘Security Settings in the Message Server’ lists a detailed Message Server ACL proper configuration.
2009 SAP Security Note #1408081: ‘Basic Settings for Reg_info and Sec_info’ also explains SAP Gateway ACL correct configuration
While a 2010 SAP Security Note, #1421005: reiterates the issue in its 2005 security alert.
Mariano Nunez, CEO and Co-founder, Onapsis of commented: “We feel it is our obligation to support all SAP customers by making detection capabilities that help them protect their business-critical applications open and freely available.”
SAP is directing its clients once again to the security alerts, stressing the need for proper system configurations, and emphasising that security is a collaborative process.
The company told Computer Business Review: “SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however these have been patched by SAP a few years ago. Security notes 821875, 1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape.”
“SAP takes the security of customer data seriously. The recommendations published in the white papers A Practical Guide for Securing SAP® Solutions and Securing Remote Function Calls (RFC) emphasizes secure configuration of SAP landscape. Customers can enable related security checks in the EarlyWatch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos).”