A critical security configuration issue affecting all SAP implementations could provide a remote unauthenticated attacker with unrestricted access to the system, enabling the attacker to modify or extract all information or shut the system down.
The flaw, recently uncovered by researchers at security firm Onapsis, is driven by a security configuration first documented by SAP back in 2005. The issue could potentially be fixed by a patch management system, but SAP systems are known for their complexity.
"While the patch has been available to SAP customers for quite some time, we understand the complexities organizations face when implementing secure configurations," the researchers wrote.
The potential number of affected systems is massive, totaling approximately 378,000 customers worldwide and 87 percent of the Global 2000. "It affects all SAP Netweaver versions and still exists within the default security settings on every Netweaver-based SAP product such as the SAP ERP, including the latest versions such as S/4HANA," the researchers noted.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
To mitigate the flaw, organizations need to apply the following three SAP Security Notes, which require an SAP login:
During an analysis last year of hundreds of SAP customer implementations, Onapsis found that approximately 90 percent of those systems were vulnerable to the flaws.
"The Onapsis team believes that this is significant enough to bring public awareness to the issue to notify SAP customers of this hidden threats that might exist in their networks," the researchers wrote.
Still, Onapsis says the researchers haven’t found any evidence of the flaws being exploited in the wild thus far.
"While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad," Onapsis CTO JP Perez-Etchegoyen said in a statement.
"Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization," Perez-Etchegoyen added. "That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization."
What’s more, the issue remains in the default security settings for every Netweaver-based SAP product, Perez-Etchegoyen noted, making it "almost impossible to ensure that separate teams do not reset the configuration to an insecure setting due to adding, migrating or upgrading a system."