Ancient SAP Hole Affects More Than Thought

Wednesday, May 18, 2016 @ 12:05 PM gHale


A five-year-old security issue affecting SAP customers has been greatly underestimated, researchers said.

In fact, they said, the number of affected companies is actually 15 times larger. Earlier this month, security firm Onapsis published a report and revealed attacks against 36 companies that failed to install an SAP security patch issued in 2010.

RELATED STORIES
SAP Mfg Industry Hole Patched
Security: Ease the Pain …
… Experts See ‘More of the Same’
Unsupported ICS: Not an Easy Upgrade
Age of New and Different

The flaw attackers exploited allowed them to gain complete control of SAP business platforms via a bug in Invoker Servlet, one of the many components of SAP’s NetWeaver Application Server Java systems (SAP Java platforms).

US-CERT (Computer Emergency Response Team), a division of the US Department of Homeland Security, took notice of the huge security issue, and just issued a public alert to all U.S. companies.

US-CERT and Onapsis recommended that affected companies apply the patch or disable the Invoker Servlet component altogether.

When it is only 36 companies, it is one thing, but ERPScan, a security vendor known for its expertise in Java enterprise platforms and monthly contributions to Oracle and SAP security patches, issued a report and revealed they detected at least 533 companies vulnerable to these issues.

“Those services can have unique names so that it’s not possible to get the final figure (approximately 500+ systems). Taking into account that most of them belong to Fortune 2000 companies, it’s quite critical issue to discuss,” said ERPScan’s founder, Alexander Polyakov in a blog post.

Polyakov also said one of the reasons so many companies skipped SAP’s patch may have been the cumbersome process of installing and testing the fix.

A company’s employee would have had to see if an invoker servlet ended up enabled by default, then disable it, and then reboot the entire server to double-check. This is much more complicated than running a command-line update operation and moving on with your day.