Network Security, Vulnerability Management

Insecure default configuration still endangering SAP users after 13 years

A critically vulnerable default security configuration in SAP systems that was first observed 13 years ago continues to exist in many current implementations, warns a new threat report from the ERP platform security experts at Onapsis.

The insecure configuration is specifically found within SAP Netweaver, a solution stack that serves as the technical foundation for many SAP applications. Unauthorized attackers with network access to these poorly configured systems can exploit the vulnerability to compromise the platform, modify or extract its data, or shut the system down, the report states.

A 2017 review of hundreds of Onapsis clients who use SAP found that roughly 90 percent were vulnerable -- a number that becomes daunting when extrapolated across a customer base of 378,000, says Onapsis in an Apr. 26 blog post, which states the problems result from either "neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems." 

Onapsis reports that the flaw was first documented in 2005 and affects all past and current versions of Netweaver-based SAP product, "including the latest versions such as cloud and the next generation digital business suite S/4HANA."

Noting that a patch has been available to SAP users for "quote some time," Onapsis says it finally went public with its findings after six months of reaching out to some SAP customers and helping them address the issue.

Seba Bortnick, head of research labs at Onapsis, alluded to the "insecure by default" vulnerability earlier this month in a cable car interview with SC Media at RSA 2018 in San Francisco.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.