Many SAP Deployments at Risk Due to Insecure Configuration

Security researchers claim that a large majority of SAP systems deployed inside organizations are vulnerable to attacks that could completely compromise their sensitive data because of an insecure default configuration.

The issue, which affects a core component of SAP deployments called SAP Netweaver, has been known for more than a decade. However, new versions of the software still ship with the insecure configuration and customers are expected to secure it themselves, according to SAP-focused security firm Onapsis.

SAP provides mitigation steps for this vulnerability in several security notes that are only accessible to customers: 821875, 1408081 and 1421005.

Onapsis claims that it has analyzed hundreds of real SAP customer implementations during 2017 and found that around 90 percent of them had the vulnerable configuration. The company has now released a threat report to bring public awareness to the problem and to alert SAP customers.

If not properly secured, Netweaver installations can easily be compromised by unauthenticated attackers who have network access to the system, the Onapsis researchers said. Exploitation can result in unrestricted access to SAP platforms, including access to modify or copy the sensitive business information stored inside.

Onapsis estimates that SAP Netweaver is used by around 378,000 organizations worldwide, including 87 percent of the Forbes Global 2000 companies. And while there is no evidence that this configuration-driven vulnerability has been exploited in the wild, the risk is very high, giving the large number of real-world deployments found vulnerable during tests.

“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad,” said JP Perez-Etchegoyen, the CTO of Onapsis. “Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration.”

Even after a Netweaver configuration is secured, it’s very difficult for organizations to ensure that separate teams don’t later reset it to an insecure setting in the process of migrating or upgrading systems, Perez-Etchegoyen warned.

Like Microsoft, Xen Patches Its Meltdown Patch

Developers of the widely used Xen hypervisor have released a patch this week to fix an issue introduced by its previous mitigation for the Meltdown vulnerability that affects Intel CPUs.

“The workaround for the Meltdown vulnerability (XSA-254) failed to deal with an error code path connecting the INT 80 handling with general exception handling,” the Xen Project said in a security advisory. “This results in an unconditional write attempt of the value zero to an address near 2^64, in cases where a PV guest has no handler installed for INT 80 on one of its vCPU-s.”

The result is that a malicious or buggy operating system could be used to crash the hypervisor, resulting in a denial-of-service (DoS) condition that affects the entire host system. In the context of a virtualized environment, a DoS situation that affects all other guests is a serious problem.

Microsoft also made a serious error in its original Meltdown mitigation which had the effect of introducing an even more dangerous vulnerability for Windows 7 and Server 2008 systems. The company pushed an out-of-band fix in late March in order to address the new vulnerability which has been dubbed Total Meltdown by the security community.

A penetration tester named Adam Chester released proof-of-concept exploit code for Total Meltdown this week, so if you have affected systems and haven’t deployed Microsoft’s patch yet, you should do as soon as possible as attacks might soon follow.

Lucian Constantin

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin