Old flaw exposes SAP BUSINESS Applications across the world

Pierluigi Paganini May 12, 2016

Security experts collected evidence that up to 36 global organizations have been hacked via exploits against an old flaw in SAP Business Applications

A five-year-old flaw in SAP software is threatening business worldwide, at least 36 global organizations have been hacked via exploits used to trigger a vulnerability in SAP Business Applications.

The flaw resides on the SAP application layer, this means that it is independent of the operating system and database application that support the SAP system.

Affected organizations operated in several industries, including energy, steel manufacturing, telecommunications, utilities, retail, and automotive.

As we have anticipated, it is an old vulnerability that was patched more than five years ago by SAP in 2010. The flaw affects the built-in functionality in SAP NetWeaver Application Server Java systems.

Experts from Onapsis security firm confirmed the existence of indicators of exploitation against 36 large-scale global enterprises across the world.

Unauthenticated remote hackers could exploit the vulnerability in SAP BUSINESS apps to gain full access to the vulnerable platforms, resulting in the disclosure of business data and processes.

“The exploitation of the SAP systems of at least 36 global organizations was publicly disclosed during 2013-2016 at a digital forum registered in China. In early 2016, we became aware of this issue after we noticed common similarities within the results of initial Onapsis Security Platform scans at SAP customers, together with indicators of compromise found at SAP forensics & incident response engagements.” reads a blog post published by the Onapsis. “The Onapsis Research Labs decided to dig deeper into this topic and realized that public information about these exploitations had been sitting in the public domain for several years. As our research indicates, companies could be actively being exploited.”

Affected companies are located in many countries, including the United States, UK, China, Germany, India, Japan, and South Korea.

SAP business applications

Experts at Onapsis believe that it is crucial to share this information within the security industry and report the situation to the affected businesses.

The US Computer Emergency Readiness Team issued a specific Alert (TA16-132A) on the discovery made by the experts at Onapsis.

“The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.” states the US-CERT.

 “The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems,” US-CERT warned.

The US CERT published the list of the SAP business solutions that may be affected by the flaw:

  • SAP Enterprise Resource Planning (ERP)
  • SAP Product Life-cycle Management (PLM)
  • SAP Customer Relationship Management (CRM)
  • SAP Supply Chain Management (SCM)
  • SAP Supplier Relationship Management (SRM)
  • SAP Enterprise Portal (EP)
  • SAP Process Integration (PI)
  • SAP Exchange Infrastructure (XI)
  • SAP Solution Manager (SolMan)
  • SAP NetWeaver Business Warehouse (BW)
  • SAP Business Intelligence (BI)
  • SAP NetWeaver Mobile Infrastructure (MI)
  • SAP NetWeaver Development Infrastructure (NWDI)
  • SAP Central Process Scheduling (CPS)
  • SAP NetWeaver Composition Environment (CE)
  • SAP NetWeaver Enterprise Search
  • SAP NetWeaver Identity Management (IdM)
  • SAP Governance, Risk & Control 5.x (GRC)

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SAP BUSINESS, hacking)



you might also like

leave a comment