US Homeland Security issues security alert over SAP systems

The United States Computer Emergency Readiness Team, part of the US Department of Homeland Security, has for the first time issued a security alert over a vulnerability which may affect outdated or misconfigured SAP systems.

According to the alert, at least 36 organisations worldwide have been affected by an SAP vulnerability in the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems. While the vulnerability was patched by SAP in 2010, systems which were outdated or misconfigured could still be exposed.

The affected companies were located in or co-owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, and spanned industries including oil and gas, telecommunications, utilities, retail, automotive, life sciences, consumer products, chemicals, high tech, engineering, construction, operations, industry machinery and components, public sector and higher education. Among them was one of the top ten highest annually grossing companies, and 13 enterprises which each generate over $10 billion in annual revenue.

Security researchers from Onapsis discovered indicators of exploitation against the organisations’ SAP business applications, and worked with Homeland Security to ensure the companies were notified and could mitigate the cybersecurity risks.

The vulnerability, which was on the SAP application layer, allows unauthenticated remote attackers to gain full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.

To ensure protection against this threat, the security alert recommended users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet, as well as to scan systems for all known vulnerabilities, and monitor systems for signs of compromise or suspicious user behaviour.

The recommendations apply to SAP systems in public, private and hybrid cloud environments.

The threat report by Onapsis is available here.