It is 2019 and the second US-CERT alert of the year is focused on cybersecurity issues facing SAP applications. The first US-CERT calling attention to SAP security issues was back in 2016, when the evidence of active exploitation of a vulnerability in SAP JAVA-based systems triggered the generation of TA16-132A. Interestingly enough, the vulnerability had been patched by SAP for over six years by that time and yet it was still being actively exploited to compromise internet-facing SAP applications.
This most recent US-CERT Alert AA19-122A references exploits that were made public by security researchers and can be used to compromise SAP applications through misconfigurations that have been known for more than a decade and yet are still present in a majority of SAP implementations.
In this post, I will walk you through an exercise based on empirical data of more than ten years of conducting cybersecurity projects focused on ERP applications with some of the biggest organizations in the world. This will provide you numbers based on our threat and vulnerabilities research of assessments we performed to SAP customers:
- Vulnerability CVE 2010-5326 (CVSS 10.0) referenced back in 2016 is still present 25% of the time.
- Configuration issues in the SAP Gateway (CVSS 10.0) are found 75% of the time
- Configuration issues in the SAP Message Server (CVSS 10.0) are found 90% of the time
If we combine a few of these points to put the risk in perspective, we can calculate an understanding of the probability of a breach to an ERP application.
- The high probability of finding some of the issues highlighted by US-CERT Alerts (as seen in the previous paragraph)
- The public availability of exploits for these vulnerabilities, including the Invoker Servlet and 10KBLAZE exploits referenced in the latest US-CERT Alert (SAP Message Server and SAP Gateway)
- The evidence that threat actors are actively targeting ERP applications, as was presented last year in a research report we released with Digital Shadows
- In most cases, organizations are at risk because of poor patching and security hygiene, including incorrect or absent log and tracing configurations, leaving them blind towards any potential data breach or system compromise
Based on this, it becomes brilliantly clear that SAP consultants, service providers and customers need to take ERP application security much more seriously. It’s imperative to prioritize organizing cross-functional teams, inclusive of IT Security, IT (ERP Teams) and Internal Audit to build the right processes and objectives towards implementing true security across SAP applications.