The U.S. Department of Homeland Security Computer Emergency Readiness Team (US-CERT) recently issued an alert to the public about a vulnerability in old software developed by SAP SE that cyberattackers are using to infiltrate companies’ systems.
According to the alert, “SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.” The vulnerability affects Java platforms of SAP. SAP has stated that the vulnerable component, Invoker Servlet, was disabled in 2010 and updated releases of the software do not contain the vulnerability. Although SAP issued a security advisory about the vulnerability (#1445998) in 2010, a recent report by a security firm indicated that it had discovered evidence that the old vulnerability has been used recently by cyberattackers in attempts to gain access to systems in approximately three dozen companies in all industries.
If successful in its use of the vulnerability, the cyberattacker is able to execute arbitrary operating systems commands and create SAP administration users using a Web browser without the need to use a valid SAP user ID and password. This in effect allows the attackers to gain free access to the system by creating their own user ID and password. According to the alert “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
The bottom line is that when software companies, such as SAP, provide patches for security vulnerabilities, it is important to follow the instructions of the company and run the security configurations and recommendations to protect the system from the known vulnerability.
Heed US-CERT’s warning and check with your IT folks now to confirm that the SAP patch has been implemented.