When Old Vulnerabilities Rise to Critical
Some of you may be familiar with the traditional wedding rhyme of what a bride should wear for luck on her wedding day…something old, something new, etc. As a way to call attention to old vulnerabilities, why they are never truly “old,” and to wish you luck, I punned it this way. Even though it doesn’t quite rhyme, you’ll get the point:
Something Old: vulnerabilities and misconfigurations
Something New: publicly available exploits
Something Borrowed: time
Something Blue: you, when you are exploited
The fact is that all systems have vulnerabilities, which include glitches, flaws or weaknesses. We all know and understand this. How you choose to address these vulnerabilities and the associated risk will determine how they impact the security of your systems now and into the future.
One of the biggest challenges you face is keeping up with all the system updates and patches that vendors release on a regular basis. Adding to this challenge is that some of your systems, like ERP, can be quite large, complex and customized. This can make applying patches and updates even more difficult when downtime is not an option and maintenance windows are limited.
Your ERP systems, such as SAP and Oracle E-Business Suite (EBS), are incredibly vital to your business and support many of your organization’s most business-critical applications. Each ERP systems vendor releases its patches and updates on a regular schedule to address identified issues and vulnerabilities.
- SAP Security Notes are released on the second Tuesday of every month
- Oracle Critical Patch Updates (CPUs) are released on the second Tuesday of the first month of each quarter
Ultimately, it is then your responsibility to keep your systems updated and patched and decisions often need to be made – weighing the risk versus the impact to the business. As an example, if the vulnerability risk is low (no known exploits), but the business impact of applying the patch is high (i.e. significant resources required, massive system reconfiguration, extended downtime), you may choose to accept the risk and not apply the patch. This decision may make perfect sense today, but what happens down the road when an exploit becomes public, targeting the vulnerability you accepted the risk for? You guessed it…it’s now at a high-risk level and immediate remediation will be required.
This is the exact scenario that was highlighted with the public release of the 10KBLAZE exploits. The targeted vulnerabilities were user misconfigurations in SAP applications that SAP addressed with three separate Security Notes over a 10-year period. So why were an estimated 90% of SAP customers using these applications still potentially affected? Many SAP customers chose to accept the risk because it was low at the time and the effort to apply the fixes was high. So, while the potential impact to the business was always there, the public availability of these exploits exponentially increased the potential for an attack. Now, the original low risk level of this old vulnerability is hitting nuclear levels of criticality.
What’s the moral to the story? You need to be diligent about applying SAP Security Notes and Oracle CPUs. These vendors are trying to keep you protected. And, while it may be OK to accept risk for certain vulnerabilities for a period of time, you cannot forget about them. As the 10KBLAZE exploits showed, old vulnerabilities can become critical with little to no notice. Additionally, using a solution like the Onapsis Security Platform that continually monitors and assesses your ERP systems will help you better manage vulnerabilities and show you exactly what patches are installed or missing. Join us at the Gartner Security and Risk Management conference in June to stop by our booth and learn more!