Beware the Silent Threat of Insecure Configurations to Your SAP Systems
Your security team has spent countless hours applying patches and configuring your SAP systems to mitigate the many risks associated with these business-critical applications; yet, it still may be possible to be at critical risk. From neglecting to apply all security configurations or due to unintentional configuration drifts of previously secured systems, it’s important to continuously monitor your SAP application.
Onapsis recently revealed a critical SAP configuration vulnerability, resulting from not properly installing SAP systems which, if left insecure, could lead to a full system compromise in unprotected environments. What does this mean for your SAP security? Basically, the risk, found in SAP Netweaver, the foundation of all SAP deployments, can be compromised by a remote unauthenticated attacker having network access to the system. Attackers can then obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. This risk, originally documented by SAP in 2005, exists when customers do not properly configure this setting and can be present on every Netweaver-based SAP product, including the latest versions in cloud and the next generation digital business suite S/4HANA.
We are offering a free one-time scan for SAP customers to determine if your system is at risk.
Although you may be thinking, “We already secured this issue so we’re all set, thanks,” Onapsis has analyzed hundreds of real SAP customer implementations and found that 9 out of 10 SAP systems were vulnerable.
Once a configuration is secured, it is almost impossible to ensure that another team does not reset the configuration to an insecure setting, unintentionally, by adding, migrating or upgrading a system. Due to the complexity and interconnectedness of SAP landscapes any change made may contribute to what is known as configuration drift.
Although taking a system offline to implement a secure configuration can be very disruptive to an organization, it is still critical to make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on your organization.
The Onapsis Research Labs has written a threat report to enable SAP customers to understand the risk and business impact of leaving this configuration insecure. The report outlines methods that an organization can take to configure this system and ensure that it remains secure.
The Onapsis Research Labs will also present these finding and key next steps during our free 60-minute webcast to learn about the risk to your organization and how to reduce your company’s exposure.