A vulnerability in SAP Java platforms is being actively exploited, despite having been patched in 2010, DHS reported....
The alert noted three dozen global enterprises have been breached by attackers using the unmitigated vulnerability, which was reported by the Boston-based application security firm Onapsis Inc.
Although the vulnerability being exploited was patched in 2010, merely patching the software is not sufficient to remediate the flaw. According to US-CERT, a part of the Department of Homeland Security (DHS), the attacks use "the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms)." The vulnerability continues to affect "outdated and misconfigured SAP systems."
Onapsis reported it had discovered indicators of compromise by this vulnerability affecting 36 global enterprises that are "located in, or are co-owned by, corporations in the United States, United Kingdom, Germany, China, India, Japan and South Korea, and span a number of industries, including oil and gas, telecommunications, utilities, retail, automotive and steel manufacturing." Onapsis worked with DHS to notify affected companies before going public with the news.
In a statement provided to SearchSecurity, SAP said the Invoker Servlet component had been disabled by SAP in its SAP NetWeaver 7.20 release in 2010. "SAP has released patches to applications under maintenance and, therefore, all SAP applications released since then are free of this vulnerability."
"Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20," the statement read. "In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in [November] 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications."
The vulnerability is quite serious, as the US-CERT alert stated, "Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems."
Onapsis reports details of flaw, exploit
Onapsis wrote in its FAQ that the old flaw is being leveraged to "remotely gain full administrative access to the SAP systems. Exploits can take advantage of this vulnerability over HTTP(S) and without the need to have a valid SAP user in the target system. In order to exploit this vulnerability, an attacker only needs a Web browser and the domain/hostname/IP address of the target SAP system."
According to Onapsis, this issue "is not an SAP problem, but a reigning lack of visibility, governance and control over cybersecurity risks that [are] affecting SAP platforms once they are installed and running. This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms."
Onapsis stated enterprise security products would not necessarily protect against attacks using this vulnerability. "Given the complexity and degree of customization of SAP applications at most organizations, generic security solutions will miss attack scenarios (false negatives) or alert on regular usage (false positives)."
Configuration, not patching, is the problem
"There are no new patches, nothing has been published by SAP yet and I don't think something will be published," said Alexander Polyakov, CTO at application security firm ERPScan in Palo Alto, Calif. "Old patches were already released by SAP, and now it's the responsibility of administrators to configure it properly."
"It's a configuration issue," Polyakov said. "The patch that was released in 2010 just introduced a new parameter in the system, which administrators needed to enable manually. This is a typical way how SAP patches security issues in its software, and that's why SAP admins have so many difficulties with securing SAP systems. Simply saying, one can't just implement patch; in most cases, additional configurations are required after that."
Learn more about SAP's NetWeaver 7.5 platform.
Read about a new approach to crowdsourced software patching.
Find out more about the contention between vendors and customers over software vulnerability disclosure.