SAP systems at risk from six-year-old security flaws, warns US-CERT

Fixed by SAP in 2010 - but many systems remain vulnerable, warns US-CERT

The US Computer Emergency Response Team (US-CERT) has warned that hackers are exploiting a security vulnerability in SAP NetWeaver software that dates back to 2010.

At least 36 organisations are at risk of attack out of more than 360 that would have been at risk back in 2010, according to US-CERT, unless they've taken other remedial action to mitigate the risks.

The current problem was uncovered by Onapsis, a company that specialises in securing SAP and Oracle business applications. However, the flaws were originally identified in 2010 by its rival, enterprise software security research specialist ERPScan.

"We are aware of this vulnerability and, what's more important, we were the original authors who first identified that this misconfiguration can lead to cyber attacks," ERPScan co-founder and chief technology officer Alexander Polyakov told Computing.

"We [Polyakov and Dmitry Chastukhin] highlighted this issue in 2010-2011, then published a whitepaper and delivered a series of presentations worldwide to warn people about it and help them to securely configure it.

"ERPScan released a free tool, the ERPScan WebXML Checker, that can be used to manually assess SAP configurations and identify this issue as well as some others," added Polyakov.

One of the companies identified today as at risk by Onapsis is one of the top-10 biggest companies in the world by revenue, and more than a dozen of the affected companies have annual turnovers of more than $10bn.

Onapsis refused to name any of the potentially affected companies, according to Reuters, but said that it found vulnerable systems running in the US, UK, China and Germany.

"We regard these [known victims] as just the tip of the iceberg, as well as an irrefutable answer to the question: 'Are SAP applications being attacked?'" Onapsis said in its report.

The US-CERT alert released on Wednesday warned that a hacker exploiting the vulnerability could gain full access to an affected SAP platform, giving them "control of the business information and processes on these systems, as well as potential access to other systems".

Mariano Nunez, chief executive of Onapsis, said: "This is not a new vulnerability. Still, most SAP customers are unaware that this is going on."

SAP explained that the vulnerable feature was fixed in a software update six years ago. "All SAP applications released since then are free of this vulnerability," the company said in an emailed statement, cited by Reuters.

However, SAP acknowledged that these changes were known to break, or disable, customised software developments that many customers had implemented using older versions of SAP's programming language.

"This vulnerability was not easy to patch," admitted Polyakov. "First, it was necessary to analyse many options, and then configure every service securely. Our free tool is intended to make this process easier."

US-CERT urged administrators to scan systems for vulnerabilities and apply the appropriate fixes - ASAP.

According to Polyakov, ERPScan's tools have been downloaded more than 300 times from the company's website over the past six or so years. And, although Onapsis says that it has uncovered 36 vulnerable organisations, there may be many more at risk.

To hear more about security challenges, the threats they pose and how to combat them, sign up for Computing 's Enterprise Security and Risk Management conference, taking place on 24 November. Attendence is free to qualifying IT leaders and professionals.