Security

How can a 13-year-old configuration flaw affect SAP systems?



Q

Manage
Learn to apply best practices and optimize your operations.

Cybersecurity vendor Onapsis found a 13-year-old flaw that affects nine out of 10 SAP NetWeaver systems. Learn how the flaw affects SAP systems with expert Judith Myerson.


A 13-year-old SAP configuration flaw in SAP NetWeaver systems was discovered by cybersecurity vendor Onapsis. What…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

does the configuration flaw affect and how can it be fixed?

According to a recent report from Onapsis Inc., a cybersecurity company based in Boston and specializing in monitoring and protecting SAP and Oracle business applications, a configuration flaw that was first reported to SAP by Onapsis CEO Mariano Nunez in 2005 is still leaving as many as nine out of 10 SAP systems vulnerable to compromise.

The configuration flaw affects SAP NetWeaver — the foundation for many SAP applications deployed from worldwide locations. Targeted applications include supplier relationship management, product lifecycle management, enterprise resource planning, transportation management and SAP’s next-generation digital business suite S/4HANA.

The original vulnerability enabled unauthenticated users to exploit unprotected remote function call gateways to bypass SAP security controls, potentially taking full remote control over SAP systems. While SAP addressed the configuration vulnerability by securely delivering access control lists, Onapsis reported earlier this year that security for some SAP services — like SAP Message Services — may still be vulnerable to remote attacks.

The flaw can be traced to the lack of secure Message Server access control list configurations on SAP systems; in particular, the profile network interface parameter ms/acl_info. An attacker can register a fake Application Server in the message server file with default access authorization to hostnames, domains and IP addresses. Port 3900 is the default for the Internal Message server port.

SAP systems administrators can fix this vulnerability by setting a value for the profile parameter using rdisp/msserv_internal = <value>. The default configuration sets the value for this parameter to zero, which indicates that no other port should be used for internal communication with application servers.

The message server then opens a second port in addition to its own port, called sapms<SID> (rdisp/msserv), that is used for internal communication with the application servers. The second port must be used to log on to an application server so the application server that logged on through port sapms<SID> is denied access. All fixes should be tested to ensure they will not create new vulnerabilities in SAP systems.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)


Dig Deeper on Web server threats and application attacks


Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.






Source link

Tags

About the author

GG

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!