A critical SAP vulnerability stayed unpatched for three years prior to its resolution this week, according to application security specialists.
SAP monthly security updates issued on Tuesday addressed a total of 48 vulnerabilities, among them an authentication bypass vulnerability in a service called P4.
The service provides a remote control of SAP’s JAVA platform, for example, all SAP Portal systems. The authentication bypass vulnerability in P4 created a possible mechanism for hackers to read sensitive information.
SAP first tried to fix the flaw three years ago but the patch was flawed, leaving numerous systems vulnerable, according to ERPScan.
“This issue was first reported and patched in 2012,” Alexander Polyakov, CTO and co-founder of ERPScan, told El Reg. “However, during one of our penetration tests, the ERPScan team found out that the issue still affected almost all new versions of the service. For example, the service pack 0.9 for the version 7.2 which is vulnerable, was released in 2013.”
The vulnerable P4 service is usually exposed to the internet, a factor that makes potential exploitation easier. “Scanning conducted by our researchers revealed that there are at least 256 vulnerable services accessible online,” Polyakov reported.
SAP recent patching history offers a precedent for delayed resolution of security problems. For example, the enterprise software firm only resolved a not-especially-serious information disclosure flaw in July – again, three years after it first cropped up. There’s no evidence that any customers experienced a problem as a result of the delay.
El Reg invited SAP to comment on ERPScan’s implied criticism of its delay in delivering a proper fix for the authentication bypass flaw.
The software firm said: “SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. Security patches are available for download on the SAP Service Marketplace.
"We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.”
More details of SAP’s October 2016 patch batch – alongside further comment on the tardy resolution of the P4 authentication bypass vulnerability – can be found in a blog post by ERPScan here. ®