SAP vulnerability exploited to compromise enterprises worldwide

A SAP vulnerability, patched over five years ago, is being leveraged to exploit SAP systems of many large-scale global enterprises, US-CERT warns.

At least 36 organizations in the US, the UK, Germany, China, India, Japan, and South Korea, spanning a number of industries, have had their SAP business applications compromised via this flaw, says SAP security company Onapsis.

The company’s researchers have discovered that the exploitation of this flaw and the compromises of those organizations were publicly disclosed on a digital forum registered in China during the last three years.

“In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements. The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years,” they shared.

The researchers notified the affected companies, who then remediated the problem. US-CERT was also contacted, and public disclosure of the problem was coordinated.

The SAP vulnerability

“The core vulnerability being exploited has been identified as the Invoker Servlet vulnerability, which was patched by SAP in 2010. This is being leveraged in tandem with a sensitive SAP Java application to remotely gain full administrative access to the SAP systems,” the researchers explained.

“Exploits can take advantage of this vulnerability over HTTP(S) and without the need to have a valid SAP user in the target system. In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system.”

This type of foothold can also be used to access other systems.

An extensive and likely still not complete list of potentially affected SAP business solutions and technical components has been provided, and companies that deployed them are urged to check whether they have been working on outdated and misconfigured SAP systems. If they did, they should check whether they have been compromised.

US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet.

The scope of the danger

Onapsis researchers do not believe that the attacks mounted via this flaw are the work of nation-state-backed hackers or another group.

But, they do believe that these documented attacks are just the tip of the iceberg.

“Software will always have security vulnerabilities and the most a vendor can do once an issue is discovered is to release a security patch quickly. In this specific case, SAP made a patch available more than 5 years ago,” the researchers concluded.

“Therefore, what this news illustrates is not an SAP problem but the reigning lack of visibility, governance and control over cyber security risks affecting SAP platforms once they are installed and running, a responsibility that falls on SAP customers’ information security teams, service providers and external audit firms.”