SAP and Oracle application cybersecurity and compliance researcher, Onapsis, has identified a critical security configuration vulnerability resulting from default installations in SAP systems that could lead to a full system compromise, enabling remote hackers to gain unrestricted access to the system and putting business-critical data and processes at risk.
Boston-based Onapsis has revealed that the security configuration, originally documented by SAP in 2005, is still present in many SAP implementations, which are therefore at risk. However, Onapsis has issued an extensive threat report explaining the risks and the steps to take to configure maintain security.
On its website, Onapsis also provides links to the SAP Security Notes containing mitigation steps for this vulnerability: SAP Security Notes #821875, #1408081, and #1421005. Access to the SAP Security Notes requires an SAP login.
Onapsis is advising organisations that the vulnerability, found in SAP Netweaver, exists within the default security settings on every Netweaver-based SAP implementation, including S/4HANA. Onapsis expects that the vulnerability has persisted as a result of organisations neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems.
“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad,” said JP Perez-Etchegoyen, CTO, Onapsis.
“Additionally, once the configuration is secured, it is almost impossible to ensure that separate teams do not reset the configuration to an insecure setting due to adding, migrating or upgrading a system,” he said.
After analysing hundreds of SAP customer implementations, Onapsis determined that some 90 per cent of SAP systems were vulnerable before implementing the Onapsis Business Risk Assessment or Onapsis Security Platform.
On the report, an SAP spokesperson said, “SAP Product Security Response Team collaborates frequently with research companies like Onapsis to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 821875, 1408081, 1421005, which were released in 2005, 2009 and 2010. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.”