Lukardi

Webinar: Jak autoryzacje w ECC wpływają na koszty licencji w S/4 Rise with SAP  

Security Loophole as a Cause of the Cyberattack

Share

For the first time ever, the U.S. Department of Homeland Security has published a report on security threats to SAP systems (US-CERT Alert for cybersecurity of SAP business applications). The report describes what security vulnerability affected the takeover of SAP systems.

 

36 organizations victim of attack using security vulnerability

At least 36 organizations (which have SAP on their infrastructure) were attacked using a security vulnerability known for about 6 years. The attack primarily targeted systems that were not updated according to the SAP Security Notes patches provided. The vulnerabilities described certainly affected the SAP NetWeaver Server Java - Invoker Servlet adons.

What systems are most at risk?

In this regard, the DHS report indicates that SAP systems running out-of-date software are vulnerable. This applies to systems running on the SAP Java platform. Due to the fact that the SAP Java platform in question is the core technology for many systems including SAP:
  • Enterprise Resource Planning (ERP),
  • Product Lifecycle Management (PLM),
  • Customer Relationship Management (CRM),
  • Supply Chain Management (SCM),
  • Supplier Relationship Management (SRM),
  • NetWeaver Business Warehouse (BW),
  • Business Intelligence (BI),
  • NetWeaver Mobile Infrastructure (MI),
  • Enterprise Portal (EP),
  • Process Integration (PI),
  • Exchange Infrastructure (XI),
  • Solution Manager (SolMan),
  • NetWeaver Development Infrastructure (NWDI),
  • Central Process Scheduling (CPS),
  • NetWeaver Composition Environment (CE),
  • NetWeaver Enterprise Search,
  • NetWeaver Identity Management (IdM),
  • Governance, Risk & Control 5.x (GRC).
 
The security vulnerability is located on the application layer of the SAP system, so its occurrence is independent of the operating system and database supporting the SAP system.
 

What are the effects of exploiting the gap?

Exploitation of the Invoker Servlet vulnerability in question certainly allows for remote, unauthenticated, full control of attacked systems. It therefore allows full access to data and business processes on systems (or even access to SAP-connected other systems).

How do you protect yourself?

The surest solution is to use and SAP Security Note 1445998 and disable Invoker Servlet.

Comments from our expert

Given that the vulnerability in question has been known for at least six years, it seems unlikely that this vulnerability has been exploited by hackers. It is also disturbing that the situation affects so many global systems. What does this mean? Due to the fact that The subject of data security is not approached in a structured way causes such omissions at the security level. The difficulty lies primarily in convincing decision makers of the need to invest in solutions that automate SAP security processes. 
Daniel Sikorski / SAP Security / BASIS
 

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.