SAP bug returns to cause mischief

After spending about two decades in the trenches I ran across all sorts of IT implementations. One of the ones that always caused me some heartburn was SAP. The running joke that I heard more than a few times was that when you purchase SAP you receive a large box. When you would open that box several hundred consultants would step out.

But, SAP is a tool that is very effective but, security is not always at the forefront. Today an advisory was released by the folks at Onapsis in conjunction with the US-CERT.

From Reuters:

SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.

The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued an alert to the security industry on Wednesday advising SAP customers what they need to do to plug the holes. It is one of only three such security warnings the agency has issued so far this year.

So, what brought this issue from 2010 back into the news? I should highlight that this issue was patched but, customers were not obligated to enable the security.

From Onapsis:

While several threat reports disclose security incidents as the result of nation-state sponsored cyber campaigns, in this case, the reality (and what we believe makes this research even more interesting) is that these indicators had been silently sitting in the public domain for several years (at a digital forum registered in China). Therefore, we don’t have reasons to correlate this activity with a nation-state sponsored campaign or a coordinated group effort. However, we know for a fact that this is just the tip of the iceberg.

Affected customers have been contacted to notify them of the compromises in advance of the release to allow them a chance to mitigate the breaches. All told there were 36 companies involved from multiple verticals including utilities, telecom and manufacturing.

The root of the issue here is the old vulnerability. Sure there was a patch available but, properly configuring security was left to the devices of the customer companies. This shows that when a security issue if highlighted that the fix should be implemented correctly. We tend to have a great fascination over the zero day vulnerabilities when they hit the news but, this is a great example of an old vulnerability that has resurfaced years after a fix was made available.

One company that I used to do work for had a penetration test run which highlighted many security issues. But, try as I might I could not get the IT team to remedy the issues that were surfaced. After a second vulnerability assessment was run and the same problems were found, only then did senior management take things seriously.

Here’s a thought, when you have a pentest done for your organization, were the issues found mitigated? Or did you go blind with a blizzard of risk acceptance letters? Worse still, were issues found ignored? Using the SAP issue as an example, make a point to go back and review previous findings before you get a free pentest from the denizens of the Internet.