A 13-year-old SAP configuration flaw in SAP NetWeaver systems was discovered by cybersecurity vendor Onapsis. What...
does the configuration flaw affect and how can it be fixed?
According to a recent report from Onapsis Inc., a cybersecurity company based in Boston and specializing in monitoring and protecting SAP and Oracle business applications, a configuration flaw that was first reported to SAP by Onapsis CEO Mariano Nunez in 2005 is still leaving as many as nine out of 10 SAP systems vulnerable to compromise.
The configuration flaw affects SAP NetWeaver -- the foundation for many SAP applications deployed from worldwide locations. Targeted applications include supplier relationship management, product lifecycle management, enterprise resource planning, transportation management and SAP's next-generation digital business suite S/4HANA.
The original vulnerability enabled unauthenticated users to exploit unprotected remote function call gateways to bypass SAP security controls, potentially taking full remote control over SAP systems. While SAP addressed the configuration vulnerability by securely delivering access control lists, Onapsis reported earlier this year that security for some SAP services -- like SAP Message Services -- may still be vulnerable to remote attacks.
The flaw can be traced to the lack of secure Message Server access control list configurations on SAP systems; in particular, the profile network interface parameter ms/acl_info. An attacker can register a fake Application Server in the message server file with default access authorization to hostnames, domains and IP addresses. Port 3900 is the default for the Internal Message server port.
SAP systems administrators can fix this vulnerability by setting a value for the profile parameter using rdisp/msserv_internal = <value>. The default configuration sets the value for this parameter to zero, which indicates that no other port should be used for internal communication with application servers.
The message server then opens a second port in addition to its own port, called sapms<SID> (rdisp/msserv), that is used for internal communication with the application servers. The second port must be used to log on to an application server so the application server that logged on through port sapms<SID> is denied access. All fixes should be tested to ensure they will not create new vulnerabilities in SAP systems.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Web server threats and application attacks
Related Q&A from Judith Myerson
Bluetooth devices might be at risk after a new Bluetooth vulnerability was found targeting firmware and operating system software drivers. Learn how ... Continue Reading
Kea, an open source DHCP server, was issued a medium security advisory for a flaw that causes memory leakage in version 1.4.0. Discover the ... Continue Reading
ES&S admitted it installed the insecure remote access program pcAnywhere on election management systems. Learn what pcAnywhere is and what this risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.