As part of our commitment to protect our customers’ business-critical applications and key business data, the Onapsis Research Labs continuously analyzes threats and attack vectors affecting SAP and Oracle applications. The Onapsis team also works closely with our customers to identify key trends affecting the security of these applications and what can be done to secure them. As a result of these efforts the Onapsis Research Labs has identified a critical security configuration issue that if exploited, could affect all SAP implementations including S/4 HANA. The vulnerability, mainly driven by a security configuration documented by SAP originally in 2005, is still present in the majority of SAP implementations, either from neglecting to apply security configurations or due to configuration drifts after the configuration was secured. While the patch has been available to SAP customers for quite some time, we understand the complexities organizations face when implementing secure configurations. The following document serves to educate SAP customers on the business impact of leaving this insecurely configured and steps to take to ensure this is no longer a threat.
Request a Free Scan
To help SAP customers determine if their landscape is vulnerable to this critical insecure configuration, Onapsis is offering a free, one-time assessment. This assessment will identify any critical configuration issues and enable you to build a plan to ensure these vulnerabilities are secure.
Frequently Asked Questions about this critical security configuration issue
Q1: How critical is this vulnerability?
A1: SAP Netweaver installations, if not properly secured, could be compromised by a remote unauthenticated attacker having only network access to the system. Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. It affects all SAP Netweaver versions and still exists within the default security settings on every Netweaver-based SAP product such as the SAP ERP, including the latest versions such as S/4HANA.
Q2: What systems are exposed?
A2: Netweaver-based SAP products, such as the SAP ERP, including the latest versions such as S/4HANA.
Q3: Where can I find the patches released by SAP?
A3: Organizations can protect themselves by applying the below SAP Security Notes which contains mitigation steps for this vulnerability (requires SAP login):
Q4: What data and processes can be compromised if this vulnerability is exploited?
A4: Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.
Q5: Why is the Onapsis Research Labs bringing this public now?
A5: After analyzing hundreds of real SAP customer implementations during 2017, Onapsis found that around 90% of the SAP systems were vulnerable before the Onapsis Business Risk Assessment or Onapsis Security Platform implementation. The Onapsis team believes that this is significant enough to bring public awareness to the issue to notify SAP customers of this hidden threat that might exist in their networks.
Q6: Have these vulnerabilities been compromised in any SAP customers?
A6: We have no evidence of these vulnerabilities being exploited in the wild to date, but based on our field experience with customers, partners and prospects we can confirm that 90% of SAP implementations we come across are, in fact, vulnerable to this.
Q7: Is there a way to detect if my organization has been compromised through these attacks?
A7: The Onapsis Security Platform is able to detect and prevent active exploitation of these vulnerabilities in SAP systems. If you are concerned that these vulnerabilities may have been targeted in your environment, please contact Onapsis for more details.
About Onapsis’s SAP cybersecurity expertise
Q8: How many vulnerabilities in SAP HANA has the Onapsis Research Labs helped SAP fix to date?
A8: As the leading SAP partner in cybersecurity, Onapsis has reported and helped secure over 100 security vulnerabilities to SAP for SAP HANA. This accounts for around 70% of the total SAP HANA security patches released to date.
Q9: How does the Onapsis Research Labs work with SAP?
A9: When the Onapsis Research Labs identifies a potential weakness, we immediately notify SAP so they can begin fixing the vulnerability. The Onapsis Research Labs provides all necessary information to the vendor in order to confirm they have what they need to produce the patch.
Q10: Are Onapsis customers protected from these vulnerabilities?
A10: Yes, Onapsis customers have received early notification about these vulnerabilities since January, after reporting the vulnerabilities to SAP. Furthermore, our Research Labs developed an Advanced Threat Protection (ATP) solution for these vulnerabilities in our product, the Onapsis Security Platform, so they could be protected while the patches were being developed and they could implement them on their systems.
Contact Onapsis for more information regarding this threat report and other ways Onapsis helps secure your business-critical applications.