36 idiots running SAP under attack after flubbing 2010 patch
US-CERT issues first-ever alert for SAP users, advising them to become competent
The United States Computer Emergency Readiness Team has taken the unusual step of enumerating just how many organisations have a particular problem, by calling out “36 organizations worldwide are affected by an SAP vulnerability … that was patched by SAP in 2010.”
You read that right: 2010.
US-CERT is relaying research conducted by Onapsis that says it found at least 36 organisations under active attack thanks to the flaw.
The problem is caused by the “Invoker Servlet”, a component of the NetWeaver Application Server Java systems (SAP Java platforms). Somehow, the dirty 36 have managed to either flub or ignore the patch for years. Onapsis says the flaw means “remote unauthenticated attackers” enjoy “full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems.”
Which is bad news, for two reasons. Firstly, some of the 36 vulnerable organisations are multinationals so may well have lots of data. Secondly, the security industry will doubtless read about this problem and shower us all with another round of “Your Business Can Be Hacked Out Of Existence” finger-wagging.
The fix is simple: apply the patch and make sure it works. Or disable the Invoker Servlet.
Both chores sound like child's play for an SAP shop.
US-CERT has nonetheless decided it needs to offer them a little guidance, as follows:
- Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
- Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
- Analyze systems for malicious or excessive user authorizations.
- Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
- Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
- Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
- Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.
Again, not stuff you'd think an SAP shop would need to know. But which at least 36 clearly need some help to understand. ®