Analysis A vulnerability in SAP systems that some enterprises have failed to patch for six years is more difficult to fix than previously reported and estimates of enterprise exposure are way too low, according to the security consultancy that originally found it.
The vulnerability relates to a misconfiguration flaw in “Invoker Servlet”, a component of the NetWeaver Application Server Java systems (SAP Java platforms).
Figures on exposure to the flaw – which lends itself to remote system compromise – came from enterprise application security specialist Onapsis, which published an FAQ (extract below) to accompany US-CERT’s alert.
The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements.
ERPScan, the ERP security specialist firm which originally discovered the misconfiguration flaw (research pdf here), said that Onapsis’s figures on exposure to the vulnerability are optimistic by more than an order of magnitude.
Alexander Polyakov, CTO at ERPScan, told El Reg that its research suggests as many as 533 organisations are at risk.
“Onapsis said that 36 organizations were actually breached,” Polyakov told El Reg. “Our assumption is that all of them were just examples of vulnerable systems which white-hats publish on their forum.”
“Onapsis' assumption that those publications on Chinese forum are examples of cyberattacks is wrong. I agree with them is that there are many vulnerably systems (533 at least) and some people probably hacked them for real profit. Not just published a screenshot of potential deface but really performed [a} cyberattack.”
In a blog post, ERPScan confirms that it seen attacks based on the vulnerability against its honeypot, systems deliberately left misconfigured in the interest of logging the attack patterns of miscreants.
However, Polyakov reckons threads on some Chinese forums related to the attack may have been made by white hats, including security researchers at Chinese search engine giant Baidu.
“Those examples (indicators of compromise) were just publications from white-hat researchers about the vulnerabilities they found rather than discussing any cyber-activity,” Polyakov told El Reg. “However, we can say that publication of those examples of vulnerable companies with detailed exploit may be used by other cybercriminals in malicious purposes.”
“Not ALL things you can find on a Chinese forum are real cyberattacks. Experts should be more careful when making accusation against foreign countries as it is politically incorrect and can negatively affect the country's reputation. Though we know for sure that such attacks are real, this accusations are almost unfounded. It is not the best way to attract attention,” he added.
El Reg contacted Onapsis via Twitter to see what it made of ERPScan’s rather different take on the issue. We’ll update this story as and when we hear back from the app security specialists.
The Invoker Servlet vulnerability affects business applications running on SAP Java platforms. SAP Java platforms are the base technology stack for many SAP business applications and technical components, so a wide array of systems are potentially affected. Finding what systems need patching is far removed from the trivial.
The reason that some organisations are still exposed to the flaw more than six years after the release of a patch is more complex that simple tardiness or a lackadaisical attitude to patching, according to ERPScan.
“This vulnerability was not easy to patch; first, it was necessary to analyse many options and then configure every service securely,” Polyakov of ERPScan told El Reg.
ERPScan released a free tool (ERPScan WEBXML Checker) to make the process of identifying vulnerable systems and patching easier.
El Reg invited SAP to comment on the US-CERT alert and ERPScan’s take on it. ®
SAP has contacted us since the publication of this story to say: "The vulnerable component in question 'Invoker Servlet' was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability.
Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in Nov 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications.”