2014 SAP Security Advisories – A Year in Review and Future Trends
2014 has been an incredible year for SAP security. Advanced threats targeting SAP systems that run business-critical applications are rising at an alarming rate. This year alone there have been 391 security notes to date, with 46% ranking as 'high priority' vulnerabilities. Out of these, our Research Labs reported 44 new vulnerabilities and 35 advisories affecting SAP platforms and related products such as SAP HANA, BusinessObjects, and SAP Business Suite running CRM and ERP. The latest two security advisories (fixed by notes 2039905 and 1979454) identified from our research labs include high-profile risk threats revealing that unauthorized users could access business-critical applications leveraging SAP BusinessObjects and SAP BASIS. This is a clear reminder of how key systems are constantly vulnerable to attack, and shows the importance of having a proactive plan in place before at attack occurs.
Looking back on 2014, some of the most critical vulnerabilities to make headlines and which also affected SAP platforms included HeartBleed (CVE-2014-0160, Note 2003582), Shellshock (CVE-2014-6271, Note 2072994), Poodle (CVE-2014-3566, Note 2086818) and also pieces of malware such as Zombie Zero. The last of which was a 3 stage vulnerability that compromises ERP systems by downloading malware to create a bridge between the ERP system and the C&C. Prior to this year, 2013 was the first time we have seen malware including as targets SAP systems such as the Win32/Gamker trojan which included basic reconnaissance of SAPGUI clients. The security industry has never been more complex. As we enter the upcoming year, more and more organizations are putting in their strategies to either start or to continue migrating to the cloud. In 2015 there is no doubt that attackers will pursue vulnerabilities in key platforms such as SAP HANA. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on end-user devices. To talk about these trends in more detail, I, along with my colleague Juan Perez-Etchegoyen, CTO of Onapsis, will be hosting a webinar Thursday, December 18th, at 1:00 P.M. EST. We will cover which headlines made major headlines in 2014, which high risk vulnerabilities went under the radar and best practices for securing SAP landscapes in the upcoming year. You can register here. Also, if you aren’t already doing so be sure to follow @Onapsis on twitter to stay up to date on the latest research, events, and information