Security researchers claim that a large majority of SAP systems deployed inside organizations are vulnerable to attacks that could completely compromise their sensitive data because of an insecure default configuration.
The issue, which affects a core component of SAP deployments called SAP Netweaver, has been known for more than a decade. However, new versions of the software still ship with the insecure configuration and customers are expected to secure it themselves, according to SAP-focused security firm Onapsis.
Onapsis claims that it has analyzed hundreds of real SAP customer implementations during 2017 and found that around 90 percent of them had the vulnerable configuration. The company has now released a threat report to bring public awareness to the problem and to alert SAP customers.
If not properly secured, Netweaver installations can easily be compromised by unauthenticated attackers who have network access to the system, the Onapsis researchers said. Exploitation can result in unrestricted access to SAP platforms, including access to modify or copy the sensitive business information stored inside.
Onapsis estimates that SAP Netweaver is used by around 378,000 organizations worldwide, including 87 percent of the Forbes Global 2000 companies. And while there is no evidence that this configuration-driven vulnerability has been exploited in the wild, the risk is very high, giving the large number of real-world deployments found vulnerable during tests.
“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad,” said JP Perez-Etchegoyen, the CTO of Onapsis. “Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration.”
Even after a Netweaver configuration is secured, it’s very difficult for organizations to ensure that separate teams don’t later reset it to an insecure setting in the process of migrating or upgrading systems, Perez-Etchegoyen warned.
Like Microsoft, Xen Patches Its Meltdown Patch
Developers of the widely used Xen hypervisor have released a patch this week to fix an issue introduced by its previous mitigation for the Meltdown vulnerability that affects Intel CPUs.
“The workaround for the Meltdown vulnerability (XSA-254) failed to deal with an error code path connecting the INT 80 handling with general exception handling,” the Xen Project said in a security advisory. “This results in an unconditional write attempt of the value zero to an address near 2^64, in cases where a PV guest has no handler installed for INT 80 on one of its vCPU-s.”
The result is that a malicious or buggy operating system could be used to crash the hypervisor, resulting in a denial-of-service (DoS) condition that affects the entire host system. In the context of a virtualized environment, a DoS situation that affects all other guests is a serious problem.
Microsoft also made a serious error in its original Meltdown mitigation which had the effect of introducing an even more dangerous vulnerability for Windows 7 and Server 2008 systems. The company pushed an out-of-band fix in late March in order to address the new vulnerability which has been dubbed Total Meltdown by the security community.
A penetration tester named Adam Chester released proof-of-concept exploit code for Total Meltdown this week, so if you have affected systems and haven’t deployed Microsoft’s patch yet, you should do as soon as possible as attacks might soon follow.