New Homeland Security Alert Warns of SAP Program Vulnerabilities

The Homeland Security Department is warning that an error in widely used office software is yielding hackers free rein access to networks. 

The product maker, SAP, notified customers of a fix years ago, but organizations that have been hacked as recently as this year, did not update their software, according to the alert from the U.S. Computer Emergency Readiness Team. 

The software "contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems," states the May 11 U.S.-CERT alert. 

Homeland Security cites research by Onapsis, a security provider for SAP, which detected in early 2016 "indicators" of attacks on the SAP business applications of 36 organizations worldwide. 

The victims, who are not named, include multinational enterprises and government agencies operated in the United States, U.K., Germany, China, India, Japan and South Korea. 

About 44 of the world’s military forces run SAP, the software developer says. SAP Public Services received $231 million in federal contract awards from fiscal 2008 through fiscal 2016, according to official government funding website USASpending.gov. It is unknown how many of these installations might be outdated or misconfigured.

In a related threat report from Onapsis, security analysts say, "The reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years."

It is incumbent upon the customer, not SAP, to fix the problem, according to Onapsis. 

"This is a responsibility that falls on SAP customers' information security teams, service providers and external audit firms," the researchers said.

‘Worst Possible Outcome’

The security vulnerability resides in a feature called the Invoker Servlet, which is part of SAP Java platforms.

When the Invoker Servlet is on, bad guys can (and did) operate a tool that requires no user identification and was only intended for testing purposes. That feature, called Configuration Wizard/Template Installer, lets the attacker essentially masquerade as a system administrator.

"The impact of this attack is the worst possible outcome: a remote attacker can execute arbitrary operating systems commands with high-privileges and/or create SAP administration users, simply using a Web browser and without the need to initially have a valid SAP user id and password in the target system," the Onapsis researchers said. 

In its alert, DHS noted that abuse of the vulnerability "gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems."

To reduce the risk of a hack, Homeland Security recommends following the directions in SAP Security Note 1445998 and disabling the Invoker Servlet. DHS also advises reviewing the Onapsis threat report.

SAP applications power many offices entrusted with intellectual property, human resources data, strategic plans and financial reports, among other sensitive files.

A "wide-scale attack against these applications could have macro-economic impact on most modern economies," the researchers said.

One unidentified Fortune 100 victim tabulated losses from an attack that busted into and shutdown the company's SAP systems at about $22 million per minute, according to Onapsis. 

As Nextgov reported one year ago this week, hackers broke into SAP software in 2013 to read government records on federal employees and contractors with access to classified intelligence.

That program apparently was an SAP enterprise resource planning application owned by background check provider USIS. Sensitive details on tens of thousands of national security personnel were exposed in March 2014. The USIS breach was separate from a gargantuan hack at the Office of Personnel Management, but believed to be part of the same Chinese-sponsored espionage operation. 
 
According to DHS, these SAP office tools could be affected: 

• SAP Enterprise Resource Planning (ERP),
• SAP Product Lifecycle Management (PLM),
• SAP Customer Relationship Management (CRM),
• SAP Supply Chain Management (SCM),
• SAP Supplier Relationship Management (SRM),
• SAP NetWeaver Business Warehouse (BW),
• SAP Business Intelligence (BI),
• SAP NetWeaver Mobile Infrastructure (MI),
• SAP Enterprise Portal (EP),
• SAP Process Integration (PI),
• SAP Exchange Infrastructure (XI),
• SAP Solution Manager (SolMan),
• SAP NetWeaver Development Infrastructure (NWDI),
• SAP Central Process Scheduling (CPS),
• SAP NetWeaver Composition Environment (CE),
• SAP NetWeaver Enterprise Search,
• SAP NetWeaver Identity Management (IdM), and
• SAP Governance, Risk & Control 5.x (GRC)