Two exploits publicly released in late April at the OPCDE security conference in Dubai could be leveraged to compromise a great number of SAP implementations, Onapsis has warned.
A successful attack would allow remote, unauthenticated attackers to:
- Perform critical business transaction on SAP systems (modify purchase orders, bypassing automatic business controls, etc.)
- Compromise and extract critical business information
- Delete all business application data
- Delete traces of their actions
- Shut the system down.
“This risk to SAP customers can represent a weakness in affected publicly-traded organizations that may result in material misstatements of the company’s annual financial statements (Form 10-K),” said Larry Harrington, former Chairman of the Board of the Institute of Internal Auditors (IIA).
“Further, a breach against these business-critical applications would likely result in the need for disclosure given the recent SEC’s Cybersecurity Disclosure Guidance.”
The time to act is now
The exploits don’t take advantage of security vulnerabilities – the danger lies in misconfigured SAP NetWeaver installations (including S4/HANA), i.e., in misconfigurations in the Access Control List in Gateway or Message Server, which exist in every SAP environment.
The researchers estimate that more than 50,000 companies and a collective 1,000,000 SAP systems are currently running the potentially-affected components, and that nearly 90 percent of these systems suffer from these vulnerable misconfigurations.
The danger of these misconfigurations has been known for years but exploits have been made public only now, and this is why the company sounded the alarm.
Mitigating the danger is easy: administrators need to apply the advice provided in the following SAP Security Notes: 821875, 1408081 and 1421005.
“The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes,” noted Mariano Nunez, CEO and Co-founder, Onapsis.
The company has released two Snort rules that can be used with a threat detection solution to detect real-time attacks leveraging the exploits. There is no indication that attackers have already started using the available exploits.
UPDATE (May 2, 2019, 11:00 p.m. PT):
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert with more details and mitigation advice.