SAP flaw: Major firms put on high alert after bug found that gives hackers 'complete control'

The US government has issued an urgent alert after a security firm uncovered evidence that 36 major organisations across the globe have been breached using a vulnerability in older SAP business applications that can give hackers "complete control" of crucial computer systems.

The bug, which first received a patch over five years ago, has been used for the past three years to gain unauthorised access into major firms spanning a range of industries including telecoms, utilities, retail, automotive, oil and gas and steel manufacturing, according to research compiled by Boston-based security firm Onapsis. The enterprises impacted are located in the US, the UK, Germany, China, India, Japan, and South Korea. However, the report refused to name those breached.

In a research report on the issue, Onapsis security researchers said the core vulnerability being exploited is in the Java-based 'Invoker Servlet' that allows users to run applications without authentication. According to Onapsis, this is still being exploited to access sensitive data and has been blamed on "insecure configurations and custom applications" on the side of firms using the software – not SAP.

'Tip of the iceberg'

Worryingly, information about the flaw was in circulation for a while and only came to light after being discovered on an online forum registered in China. "Public information about these exploitations had been sitting in the public domain for several years," Onapsis said, noting the data surfaced in 2013.

"We don't have reasons to correlate this activity with a nation-state sponsored campaign or a co-ordinated group effort," the report added. "However, we know for a fact that this is just the tip of the iceberg." According to Reuters, the targets were both prominent Chinese domestic companies and foreign joint ventures, including more than a dozen with annual turnover of at least $10bn ($6.9bn).

At last 18 Java-based SAP software systems are said to be impacted by the security flaw. These include: SAP Business Intelligence (BI), SAP Customer Relationship Management (CRM), SAP Enterprise Resource Planning (ERP) and SAP Supply Chain Management (SCM). For many firms, these systems are the backbone of their entire operation.

If successfully exploited, researchers said the results would be catastrophic. "The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms," Onapsis warned. "[It provides] complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems. In order to exploit this vulnerability, an attacker only needs a web browser and the domain/hostname/IP address of the target SAP system."

Mariano Nunez, chief executive of Onapsis, told Reuters: "This is not a new vulnerability. Still, most SAP customers are unaware that this is going on." Indeed, SAP said it first fixed the security flaw back in 2010 when it disabled the Invoker Servlet by default. "All SAP applications released since then are free of this vulnerability," the company said in a statement.

In any case, problems clearly remain for firms using outdated or unpatched software. As noted by Reuters, many high-profile SAP customers are known to rely on older versions that are already implemented into established business processes.

In response to the Onapsis findings, the US Department of Homeland Security (DHS) released an alert about "outdated or misconfigured" SAP systems. "At least 36 organisations worldwide are affected by an SAP vulnerability," it said. "Security researchers from Onapsis discovered indicators of exploitation against these organisations' SAP business applications. SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks."

The DHS said firms using the impacted SAP software should scan all systems for known vulnerabilities, such as missing security patches and dangerous system configurations, and continue to monitor systems for suspicious user behaviour, including both privileged and non-privileged users.