Pierluigi Paganini April 29, 2018

Many companies using SAP systems ignore to be impacted by a 13-year-old security configuration that could expose their architecture to cyber attacks.

According to the security firm Onapsis, 90 percent SAP systems were impacted by the vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.

Because SAP Netweaver technology is the pillar for SAP solutions, including the SAP ERP and S/4 HANA, at least 378,000 users worldwide are affected.

“How critical is this vulnerability? SAP Netweaver installations, if not properly secured, could be compromised by a remote unauthenticated attacker having only network access to the system.” reads the report published by Onapsis says

“Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. It affects all SAP Netweaver versions and still exists within the default security settings on every Netweaver-based SAP product such as the SAP ERP, including the latest versions such as S/4HANA.”

The configuration relates to how components of the SAP infrastructure communicate, with a specific focus on Application Servers, SAP Message Servers, and the SAP Central Instance.

Every time a new app is created, the sysadmin must register the new app (Application Server) with the SAP Message Server, the registration is performed via internal port 39<xx> (3900 by default).

The SAP Message Servers implements an access control list (ACL) mechanism for the access to the registration port.

“The SAP Message Server implements a protection mechanism, also known as ACL or access control list, to check which IP addresses can register an application server and which ones cannot.” continues the report.

“This ACL is controlled by the profile parameter “ms/acl_info”. This parameter should contain a path to a file with the following format: 

HOST=[*| ip-adr | hostname | Subnet-mask | Domin ] [, …]”

SAP published details on how to properly configure this access file in 2005 through SAP Security Note #8218752 ‘security settings in the message server.’

“Nevertheless, this parameter is set with default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system.” continues the Onapsis’s report.

An attacker can exploit improper configuration of a secure Message Server ACL to register a fake Application Server that could be abused to gain full control of the SAP install.

The experts highlighted that the issue could be mitigated by properly configuring the SAP Message Server ACL.

Below the Step by step remediation provided by Onapsis:

• Properly configure SAP Message Server ACL. SAP published instructions for this more than ten years ago, which confirms the need for more investment and education in SAP cybersecurity if this vulnerability is still present in your systems.
• Implement continuous monitoring and compliance checks to validate that security-relevant configurations such as the Message Server ACL files do not change the security posture of the entire system.
• Implement an SAP cybersecurity program that helps bridge the gap between teams: Align IT Security, Internal Audit, BASIS and SAP Security teams towards the unified goal of running secure SAP applications.

Pierluigi Paganini

(Security Affairs – SAP, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]