Onapsis researchers revealed a critical security configuration vulnerability that results from default installations in SAP systems which if left insecure, could lead to a full system compromise in unprotected environments.
If exploited the impact could be full control of the system by hackers, putting business-critical ERP, HR, PII, Finance, and Supply Chain data and processes at risk.
Most SAP systems are vulnerable
The vulnerability, mainly driven by a security configuration originally documented by SAP in 2005, is still present in the majority of SAP implementations either from neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems.
Onapsis has spent the past six months reaching out to SAP customers to alert them and help ensure they are addressing the risk in their landscapes. After analyzing hundreds of real SAP customer implementations, Onapsis found that 9 out of 10 of SAP systems were vulnerable before the Onapsis Risk Assessment or Onapsis Security Platform implementation.
Where is the vulnerability?
The vulnerability is found in SAP Netweaver and can be compromised by a remote unauthenticated attacker having only network access to the system. Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.
SAP Netweaver is the foundation of all SAP deployments and as such the vulnerability affects all versions of SAP Netweaver, representing 378,000 customers worldwide and 87% of the Global 2000. This risk still exists within the default security settings on every Netweaver-based SAP product, including the latest versions such as cloud and the next generation digital business suite S/4HANA.
“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.
“Additionally, once the configuration is secured it is almost impossible to ensure that separate teams do not reset the configuration to an insecure setting due to adding, migrating or upgrading a system,” continued Perez-Etchegoyen.