Attackers exploiting six-year old patched SAP bug

Attackers are exploiting organisations who failed to apply a patch SAP issued six years ago and using a vulnerability to take gain full control over their business applications.

The US-CERT and infosec firm Onapsis are warning SAP users to apply the patch to protect them from the Invoker Servlet vulnerability which can be be abused to gain full administrative access to SAP applications.

Many organisations did not implement the patch due to customisations and configurations to older SAP software.

The US CERT issued its first-ever alert about an SAP security problem today, advising customers how to protect themselves.

"This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, said. "Still, most SAP customers are unaware that this is going on."

SAP, which claims 87 percent of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.

"All SAP applications released since then are free of this vulnerability," the company said in a statement.

However, it acknowledged that these changes were known to break customised software developments that many customers had implemented using older versions of SAP's software.

The problem continues because a sizeable number of big SAP customers are known to depend on these older versions of the software that in many cases date back years, or in extreme examples, even decades.

The trouble is less of a software issue than one of accountability for how such bugs get fixed, security experts say. Customers rely on a chain of consultants, external audit firms and specialised internal SAP security teams to decide when to install patches without risking destabilising their systems.

Segregation

Thirty-six enterprises have been found to have telltale signs of unauthorised access using the flaw, according to a report to be published today by Onapsis.

Since 2013, the vulnerabilities of the 36 enterprises have been detailed on a Chinese-language online discussion forum, where methods for exploiting outdated or misconfigured SAP NetWeaver Java systems are openly described, Nunez said.

The targets were both prominent Chinese domestic companies and foreign joint ventures.

Onapsis has subsequently found other susceptible SAP customers in the United States, Germany and Britain, Nunez said, but declined to name them.

The targets range from telecommunications to utilities, retail, automotive and steel firms and include more than a dozen with annual turnover of at least US$10 billion, Onapsis said.

"We regard these (known victims) as just the tip of the iceberg, as well as an irrefutable answer to the question: 'Are SAP applications being attacked?'" Onapsis said in its report. Onapsis also works on behalf of 200 SAP customers ranging from Daimler to Siemens to Westinghouse and the US Army.

One major SAP customer who was subject to multiple attacks related to the flaw said the software - originally created to help programmers rapidly test new features - had left open a backdoor to his organisation's inner workings.

When challenged about the issue, SAP's initial response was, "'This isn’t a vulnerability. It's a feature. If you don’t like it you should turn it off'," said the customer, who asked not to be named due to commercial sensitivities.