Johannesburg, 18 May 2016
Over the last two years, DeltaGRiC Consulting, the only consultancy within the SAP Africa ecosystem operating out of Johannesburg, Lagos and, by proxy, in Kenya, has been warning African businesses running on SAP Business Applications on the reason why they should take SAP cyber security seriously and take proactive measures to protect their SAP landscape.
It is pertinent to take a deeper dive to see beyond segregation of duties, access control, roles and authorisations in their SAP systems as the ultimate solution to the complex SAP security equation.
Just last week, on 11 May 2016, the US Homeland Security Alert warned that hackers are exploiting a security vulnerability in SAP Business Software noted as Alert TA16-132A, a problem whose origin dates way back to five years ago, yet found uncorrected in many SAP systems today.
While this vulnerability was discovered by Alexander Polyakov and Dmitry Chastukhin, who even went ahead to write a public paper afterwards, in 2011, it is estimated that well over 533 SAP implementations making use of applications built on the SAP Java platform, including but not limited to SAP Enterprise Resource Planning, SAP Product Lifecycle Management, SAP Customer Relationship Management, SAP Supply Chain Management and SAP Business Intelligence, and many more SAP applications in the US, China and Germany, have been proven to still be affected by this SAP Invoker Servlet.
As a matter of fact, there are possibilities that the number of companies running SAP as mission-critical applications in Africa are grossly affected by the security flaw of SAP Invoker Servlet could potentially be greater.
To know about what a SAP Invoker Servlet is, see here:
Why should organisations running on SAP care about this alert?
It is important to note that a hacker only requires a browser and domain, hostname and IP address of the attacked SAP instance to be able to perform this attack, regardless of whether the SAP instance/landscape is running on private, public or hybrid cloud environments.
With public repositories of services that host SAP exploits and a step-by-step guide on how to successfully perform the hacks being easily accessible for a token fee, an attacker could easily take advantage of such knowledge hubs to perform dangerous attacks on the very porous African businesses running SAP.
How can I check if I have this problem and how can I address it?
In order to manually solve this problem, partner expert Alexander Polyakov explains:
"You may choose to urgently patch your SAP landscape; however, to make matters even worse, the vulnerability is not easy to patch either. First, it is necessary to analyse if an Invoker Servlet is enabled by default, then disable it and reboot the system. After that, you have to manually assess every Web service (and there are 500+ of them just in a default J2EE installation) and check if Invoker Servlet functionality is enabled or disabled. If enabled, a task was either to disable it or manually analyse a configuration file, if it is exposed to any critical services, which can be bypassed and then to configure it properly. You may read more (here).
How can DeltaGRiC Consulting help?
DeltaGRiC Consulting always stresses a DIY approach to SAP customers, after all, organisations have made investments on staffing resources in high dollars and should gain value of those investments at almost less cost.
Your SAP Basis team needs to implement notes 1445998 and 1467771. It is, however, very important that these notes are done correctly.
Beyond this attack vulnerability focusing on SAP Invoker Servlet, we must be cognisant of the fact that closing one window of attack is good, but SAP-run businesses must strive to make sure all windows of attack are reduced to almost zero. Having said that, organisations running SAP need to be aware that even after they have applied the SAP notes and disabled the SAP Invoker Servlet, there is still an 80%-95% chance that the SAP Invoker Servlet can be re-enabled by any of your developers or administrators for possible honest reasons of wanting to develop a quick application or solve some challenges within your SAP landscape. Hence, DeltaGRiC Consulting advises that you take a deeper dive into customisations, custom source code (Z programs) and also authorisations for all users.
To find out if your SAP landscape is at risk of cyber attack, contact DeltaGRiC Consulting on +27 11 083 9828 or send a mail to info@deltagricconsulting.com for a SAP vulnerability assessment.
Share