The Department of Homeland Security (DHS) yesterday issued its first-ever public US-CERT security alert pertaining to the active exploit of an SAP enterprise software application, after a security vendor determined that 36 organizations were infiltrated via an SAP vulnerability that was disclosed more than five years ago.
The vendor, Onapsis, which specializes in SAP and Oracle security, also published its own report after its researchers discovered a Chinese online forum that had published details of the exploit, including the three dozen affected companies. The site, accessible on the open Internet, was actively disclosing this information between 2013 and 2016, but it only just came to the attention of the research community.
The vulnerability resides in SAP NetWeaver, the primary computer platform behind most SAP applications—and more specifically in its Invoker Servlet, a rapid development tool for testing custom Java applications. While SAP long ago released security patches for this attack vector, companies with outdated or poorly configured SAP systems remain vulnerable to this exploit, whereby attackers bypass all authentication controls via the Invoker Servlet and subsequently gain access to a wide range of SAP applications.
Even if systems are properly configured and the Invoke Servlet is disabled, such security settings are sometimes overridden by default upon the installation of certain SAP Java applications, again opening up users to the exploit.
In the specific exploit involving the 36 companies, this vulnerability was leveraged specifically to access an SAP Java application known as the Configuration Wizard/Template Installer, which gives intruders the ability to remotely execute arbitrary operating system commands and generate SAP user accounts. “You are able to create a new user in the SAP system, but without having to be authenticated,” said Mariano Nunez, CEO and co-founder of Onapsis. “That basically opens the door into the system, and then depending what other kinds of applications are running, you can access them.”
Java apps running on the NetWeaver platform that are potentially at risk of abuse via this vulnerability include SAP Enterprise Portal, SAP Business Intelligence and SAP Supply Chain Management, among many others that constitute the very backbone of a company's operations. Connected non-SAP solutions may also be vulnerable, the Onapsis report warns.
Onapsis first contacted the DHS and the affected customers in April 2016. The exploited enterprises have operations across the globe and belong to key industry sectors such as utilities, retail, technology, telecommunications and many more.
Neither Onapsis' report nor the US-CERT alert specifically identified the Chinese forum. However, ERPScan, a competitor of Onapsis, claimed in an email to SCMagazine.com to have “probably” identified the site in question, defining it as a security forum “where Chinese white hats share information about vulnerabilities they identified.” ERPScan said that the data found on this forum pertaining to the number of affected systems correlates with the number of affected organizations in Onapsis' report.
The term “white hat” would seemingly imply that the exploits were not malicious in nature, but rather a case of researchers probing for bugs. However, Nunez told SCMagazine.com that although “We don't really have any evidence that there was malicious intent,” Onapsis' consultations with some of the affected companies revealed that “the impact of the exploits was beyond what was publicly disclosed in the forum” and that there were “indications of malicious activity.” Onapsis stated that they "had no reason to attribute the malicious activity to the individuals who disclosed this in the forum." Moreover, the openness of the online forum exposed the 36 organizations to even further potentially malicious exploitation, and the systems were already vulnerable before this information was publicly shared in the forum. That's why Onapsis says they "know for a fact this is just the tip of the iceberg."
Certainly, DHS US-CERT found the recent developments worrisome enough to publish what was only its third official public alert so far this year. “I do believe the DHS understood the criticality of what these [SAP] business applications mean to the U.S. economy and also other economies,” said Nunez.
SAP also provided its own statement to SCMagazine.com, in response to the recent findings: “The vulnerable component in question, Invoker Servlet, was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability. Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20.”
SAP further advised customers to “disable Invoker Servlet in [their] environment and then deploy tested custom applications.”
Which poses an interesting question: Why are anyone's critical enterprise systems still exposed to a vulnerability that should have been patched or disabled more than five years ago?
According to Nunez, because SAP systems are so heavily customized and complex, they typically require their own separate administrators, separate from a company's IT security staff. Consequently, “information security teams don't have any visibility, control or knowledge of SAP applications.”
And yet, if these companies experienced a major breach or cyberattack as a result of such an exploit, “those information security teams would most likely be on the hook.”