Security researchers at Onapsis have found an old vulnerability in SAP business applications that date back to as early as 2013, highlighting a serious risk facing dozens of businesses worldwide.
In a parallel announcement, the U.S. Department of Homeland Security alerted enterprises based in the United States, United Kingdom, India, Japan, Germany, China and South Korea to the high-risk SAP flaw that affect SAP Java apps and critical business processes run by many organizations and companies.
The vulnerability, according to Onapsis, could expose critical business information and processes of affected enterprises to attackers, enabling them to take full control of those assets even with no authentication to access the vast treasure trove of data. Affected also are some non-SAP systems.
Onapsis pointed a bug in the J2EE specification called Invoker Servlet, which is used by developers to run a test on Java applications. Developers are able to extract the servlets via the Internet even without having authorization, meaning that just anyone can call the servlets anytime. With full access to this functionality, attackers can then manipulate and exploit critical systems of various industries as long as they know the servlet’s URL. Which is why it has alarmed the Homeland Security, especially that attackers can also create accounts and control operating systems.
Although SAP already allowed users to disable the Invoker Servlet in its applications by default, attackers were still able to access Invoker Servlet and carry out random commands in SAP systems after they transmitted forged packets to insecure SAP systems via HTTP or HTTPS to circumvent authentication controls.
How serious could it get? For one, an attacker can escalate privileges to execute arbitrary commands on operating systems and use any web browser to create administration user accounts in SAP systems even without an authentic SAP user ID and password. SAP appears to be downplaying the flaw, however, as its recent patch note indicate otherwise.
Security experts now warn that custom Java applications must be reviewed and any irregular behavior in those apps monitored even if users are now able to disable Invoker Servlet. That is so because custom SAP Java applications can be used to override the setting, according to experts.
Also, security experts recommend that administrators of SAP systems keep an eye on critical system patches from now on as SAP regularly releases patches every month. They lament that the incident highlighted how SAP’s security teams have a narrow visibility into the vulnerabilities lingering in SAP systems.