Tuesday, February 18, 2025
HomeSecurity News90% of SAP Systems Vulnerable to 13-year-old Critical Security Configuration Risk

90% of SAP Systems Vulnerable to 13-year-old Critical Security Configuration Risk

Published on

SIEM as a Service

Follow Us on Google News

Critical Security vulnerability impacts 90% of SAP Netweaver installation that if left configured by default. The vulnerability allows attackers to compromise the entire system without even requiring valid SAP credentials.

SAP Netweaver used in many of the business-critical such as payroll, sales, invoicing, manufacturing and others.

A remote unauthenticated Hacker can compromise an SAP Netweaver installation that left with default configuration by just having the network access to the system.
SAP Netweaver

Onapsis Research Labs reported the flaw, according to their report “Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.”

Also Read Protecting Big Data with Hadoop: A Cyber Security Protection Guide

The vulnerability impacts up to 90% of companies and affects all the versions of SAP Netweaver versions and still exists with default security settings.

Starting from 2012 SAP NetWeaver Application Server ABAP 7.31 the SAP Gateway Acess control lists is delivered secure by default, but the other SAP services that use the same ACL are not secure by default.

SAP Netweaver

SAP Message Server also implements ACL list to check which IP addresses can register an application server and which ones cannot access. The access control list was controlled by the parameter “ms/acl_info“.

If the parameter “ms/acl_info” left with default configuration and access control list open would allow any host having network access to SAP Message Server can register an application server in the SAP system.

“If the SAP System lacks a secure Message Server ACL configuration, an attacker can exploit this misconfiguration and register a fake Application Server in the SAP system. An attacker only needs to be able to “speak” the message server protocol to register a fake Application Server” reads Onapsis Research report.

By registering a fake application server attackers can compromise the entire system and can launch Man in the Middle attacks to sniff user credentials.

Onapsis has identified, after analyzing multiple SAP customer implementations, that most of them are lacking the proper protection techniques: 9 out of 10 SAP systems are vulnerable to this attack. Researchers provided mitigations steps on Properly configuring SAP Message Server Access control list.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using...

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New Research Aims to Strengthen MITRE ATT&CK for Evolving Cyber Threats

A recent study by researchers from the National University of Singapore and NCS Cyber...

New LLM Vulnerability Exposes AI Models Like ChatGPT to Exploitation

A significant vulnerability has been identified in large language models (LLMs) such as ChatGPT,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New FUD Malware Targets MacOS, Evading Antivirus and Security Tools

A new strain of Fully Undetectable (FUD) macOS malware, dubbed "Tiny FUD," has emerged,...

Google Blocks 2.28 Million Malicious Apps from Play Store in Security Crackdown

In a continued commitment to enhancing user safety and trust, Google has outlined significant...